Ok, so title might not say exactly what I'm looking for but here is my scenario.
a. We have users who received error message
b. We have users who have signed_in field value set to 'y'
We need to find those users who have field_a value set to 'y' and received the error message.
The problem is that that signed_in field does not exist in error message.
Message 1 has these fields: user_id, signed_in (boolean value of 'y' or 'n')
Message 2 has these fields: user_id, error_description
I've tried using transactions, but with millions of events search takes forever.
A push in the right direction is appreciated.
Thanks
I would go with a subsearch:
<message2 search> [search <message1 search> | dedup user_id | fields user_id] | stats count by user_id
I would go with a subsearch:
<message2 search> [search <message1 search> | dedup user_id | fields user_id] | stats count by user_id
I've tried that, but for some reason every time I run that search I get different numbers
earliest="11/16/2014:09:00:00" latest="11/16/2014:20:00:00" error_description="RequestUserLeagues - Could not obtain enabled leagues" [search fantasy_leagues=y | dedup user_id | fields user_id] | stats dc(user_id)
After cleaning up the search and referencing Splunk docs I got it working
earliest="11/16/2014:09:00:00" latest="11/16/2014:20:00:00" error_description="*RequestUserLeagues - Could not obtain enabled leagues*" [search earliest="11/16/2014:09:00:00" latest="11/16/2014:20:00:00" fantasy_leagues=y | dedup user_id | fields user_id] | stats dc(user_id) as UsersWithIncorrectMessage