Hi,
I need your help to understand which road to test.
I have raw events like this
11/02/2013 sessionID1 fields1 fields2 ...
11/02/2013 sessionID2 fields1 fields2 ...
and some other event instead
14/02/2013 sessionID1 fields3 field4 userID1 ...
17/02/2013 sessionID2 fields1 fields2 UserID1 ...
userID is populated only when a certain event occurs.
I would like to add the userID also to the event without it, to be albe to identify every action made by each user (in this way I can use transaction on userID).
11/02/2013 sessionID1 fields1 fields2 userID1...
11/02/2013 sessionID2 fields1 fields2 userID1...
14/02/2013 sessionID1 fields3 field4 userID1 ...
17/02/2013 sessionID2 fields1 fields2 userID1 ...
I was thinking to create, somehow outside Splunk, a lookup table with every sessionID connected with its userID.
Any idea to do somethink like this using only Splunk?
Thanks a lot for any suggestion
If you are able to create a lookup table file (say SessionUser.csv with fields sessionID and userID), then use following to get userID field for all the events.
your base search | lookup SessionUser.csv sessionID OUTPUT userID
This will add userID to all events provided a matching sessionID is present in the lookup table file.
Other less efficient options would be (without lookup) using join (would do the same)
<your base search> | join type=left sessionID [search <your base search> | stats count by sessionID, userID | fields - count ]
Thank you, but I wasn't asking how to use lookup, but efficient ways or ideas to how solve my problem