I'm after some advice on the best way to create a search for the following scenario.
I have 3 data sources, A,B,C where there is a common field between A<-->B and a different common field between B<-->C
What I want to find, is how many events occur in A and C. I can see that I can create a transaction across A&B or B&C, but I'm unsure how to correlate across these sources when the common information changes.
Any tips would be great!
Lets call one field the
ab and the other
This is sort of ambiguous:
how many events occur in A and C
Are you looking for events that started in A and went through to B to C ? The count of events that have a relationship via B, from A<-->C ?
Have you considered using a field alias in B so that the same field can be used from A<-->C , that is,
ab also equals
You are right. Transaction is very powerful command but there is a limitation of it - its not advisable to use in clustered environment and it takes lot of resources too.
Another alternative is to use - subsearch.
sourcetype=A OR sourcetype=C [search sourcetype=A OR sourcetype=B | table ]
Sourcetype A and Sourcetype B - common field is ipaddress
Sourcetype B and Sourcetype C - common field is username
sourcetype=A OR sourcetype=C [search sourcetype=A OR sourcetype=B ipaddress=* ipaddress | table username]
1) First search for information in sourcetype A and B using common field between A and B and identify the field which is common between B and C (i.e. table username)
2) Pass results from inner query to outer query.
Hope this helps.
So assuming your data looks like this:
event_1A sessionID=someValue event_1B sessionID=someValue jqueryResponse=someValue event_1C jqueryResponse=someValue
Then you can do a double transaction (NOTE: I'm doing this off the top of my head so yeah it could not work right - you may need to finagle.)
<your_search_for_events> | transaction sessionID keeporphans=true | transaction jqueryResponse | <do_other_things>
There may be a more streamlined search, but this one comes to mind.