Solved: How to create a report based on different source t...

guarisma · ‎10-24-2016

Hello,

I have several different source types and I need to create a report on them, most of them have events with all the fields I need, but one of them doesn't because the events are broken into other events that can become a transaction.
When I pipe only those events to the transaction command I get all the fields I need, but I don't know how to incorporate the results with the other searches that don't require a transaction.

for example:

This is the search for my normal report:

index=* sourcetype=a sourcetype=b | table file_name, action, user

And this is the search I have to incorporate into the report:

index=* sourcetype=c | transaction id| table file_name, action, user

What can I do?

Thanks.

somesoni2 · ‎10-24-2016

Try like this

index=* sourcetype=a OR sourcetype=b | table file_name, action, user | append [search index=* sourcetype=c | transaction id| table file_name, action, user]

View solution in original post

somesoni2 · ‎10-24-2016

Try like this

index=* sourcetype=a OR sourcetype=b | table file_name, action, user | append [search index=* sourcetype=c | transaction id| table file_name, action, user]

guarisma · ‎10-25-2016

Yes, this works.
I also found the multisearch command, any recommendations on which might be better?

Thanks

How to create a report based on different source types and include the results from a search on 1 source type that requires a transaction command?

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...