Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to build a transaction from multiple, somewhat disparate, indexes

castle1126
Communicator
‎03-25-2011 02:36 AM

Hi,

I have three indexes that I'm trying to build a transaction from. the first two indexes each have a field named User_Name, which makes the transaction statement pretty easy. This creates the base transaction I'm looking for.

The first index also has a field called ip. What I want to do is use this field to retrieve the events from the third index into the first transaction (unfortunately the User_Name field does not exist in the third index). I've tried so many different searches, all never result in a transaction containing all the pertinent records.

Any thoughts on how to create this type of transaction?

Thanks!!

Tags (1)
Reply

BenAveling
Path Finder
‎09-15-2013 11:22 PM

Does the 3rd index have ip? If so, what happens when you try to build a transaction on ip and user_name?

0 Karma
Reply

curtgran
Explorer
‎09-28-2011 12:47 PM

Maybe this isn't the best place to ask this question but I'll try anyway.

Can I transaction span multiple indexes and multiple sourcetypes? It seems like it can but I thought I would ask to verify it.

Curt

0 Karma
Reply

sdwilkerson
Contributor
‎09-28-2011 01:22 PM

Curtgan, Yes, this isn't the right place, you should really have started a new question. But the answer to your question is, yes, transaction doesn't care so long as the time settings and field are right.

0 Karma
Reply

sdwilkerson
Contributor
‎08-23-2011 02:12 PM

What fields do exists in the third index that might be used to unite those events with events from one of the first two indexes? A subsearch or double-transaction might work.

0 Karma
Reply

castle1126
Communicator
‎04-07-2011 04:38 PM

The username field does not exist from the third index.

0 Karma
Reply

b4ggio
Explorer
‎04-07-2011 03:00 PM

I am also keen to see what the data looks like as mentioned by southeringtonp. Have you thought about doing data enrichment using a lookup of some unique data and then using the new field to transact on.

Reply

southeringtonp
Motivator
‎03-25-2011 01:36 PM

What does your data look like? Is the username completely missing from the third index, or just not extracted into that field?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...