Solved: How to create a report based on different source t...

guarisma · ‎10-24-2016

Hello,

I have several different source types and I need to create a report on them, most of them have events with all the fields I need, but one of them doesn't because the events are broken into other events that can become a transaction.
When I pipe only those events to the transaction command I get all the fields I need, but I don't know how to incorporate the results with the other searches that don't require a transaction.

for example:

This is the search for my normal report:

index=* sourcetype=a sourcetype=b | table file_name, action, user

And this is the search I have to incorporate into the report:

index=* sourcetype=c | transaction id| table file_name, action, user

What can I do?

Thanks.

somesoni2 · ‎10-24-2016

Try like this

index=* sourcetype=a OR sourcetype=b | table file_name, action, user | append [search index=* sourcetype=c | transaction id| table file_name, action, user]

View solution in original post

somesoni2 · ‎10-24-2016

Try like this

index=* sourcetype=a OR sourcetype=b | table file_name, action, user | append [search index=* sourcetype=c | transaction id| table file_name, action, user]

guarisma · ‎10-25-2016

Yes, this works.
I also found the multisearch command, any recommendations on which might be better?

Thanks

How to create a report based on different source types and include the results from a search on 1 source type that requires a transaction command?

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

Splunk Smartness with Brandon Sternfield | Episode 3