I have three indexes that I'm trying to build a transaction from. the first two indexes each have a field named User_Name, which makes the transaction statement pretty easy. This creates the base transaction I'm looking for.
The first index also has a field called ip. What I want to do is use this field to retrieve the events from the third index into the first transaction (unfortunately the User_Name field does not exist in the third index). I've tried so many different searches, all never result in a transaction containing all the pertinent records.
Any thoughts on how to create this type of transaction?
Maybe this isn't the best place to ask this question but I'll try anyway.
Can I transaction span multiple indexes and multiple sourcetypes? It seems like it can but I thought I would ask to verify it.
Curtgan, Yes, this isn't the right place, you should really have started a new question. But the answer to your question is, yes, transaction doesn't care so long as the time settings and field are right.
I am also keen to see what the data looks like as mentioned by southeringtonp. Have you thought about doing data enrichment using a lookup of some unique data and then using the new field to transact on.