- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to build a transaction from multiple, some...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to build a transaction from multiple, somewhat disparate, indexes
Hi,
I have three indexes that I'm trying to build a transaction from. the first two indexes each have a field named User_Name, which makes the transaction statement pretty easy. This creates the base transaction I'm looking for.
The first index also has a field called ip. What I want to do is use this field to retrieve the events from the third index into the first transaction (unfortunately the User_Name field does not exist in the third index). I've tried so many different searches, all never result in a transaction containing all the pertinent records.
Any thoughts on how to create this type of transaction?
Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the 3rd index have ip? If so, what happens when you try to build a transaction on ip and user_name?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe this isn't the best place to ask this question but I'll try anyway.
Can I transaction span multiple indexes and multiple sourcetypes? It seems like it can but I thought I would ask to verify it.
Curt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Curtgan, Yes, this isn't the right place, you should really have started a new question. But the answer to your question is, yes, transaction doesn't care so long as the time settings and field are right.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What fields do exists in the third index that might be used to unite those events with events from one of the first two indexes? A subsearch or double-transaction might work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The username field does not exist from the third index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am also keen to see what the data looks like as mentioned by southeringtonp. Have you thought about doing data enrichment using a lookup of some unique data and then using the new field to transact on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does your data look like? Is the username completely missing from the third index, or just not extracted into that field?
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
