Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a report based on different source types and include the results from a search on 1 source type that requires a transaction command?

guarisma
Contributor
‎10-24-2016 04:05 PM

Hello,

I have several different source types and I need to create a report on them, most of them have events with all the fields I need, but one of them doesn't because the events are broken into other events that can become a transaction.
When I pipe only those events to the transaction command I get all the fields I need, but I don't know how to incorporate the results with the other searches that don't require a transaction.

for example:

This is the search for my normal report:

index=* sourcetype=a sourcetype=b | table file_name, action, user

And this is the search I have to incorporate into the report:

index=* sourcetype=c | transaction id| table file_name, action, user

What can I do?

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-24-2016 08:24 PM

Try like this

index=* sourcetype=a OR sourcetype=b | table file_name, action, user | append [search index=* sourcetype=c | transaction id| table file_name, action, user]

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎10-24-2016 08:24 PM

Try like this

index=* sourcetype=a OR sourcetype=b | table file_name, action, user | append [search index=* sourcetype=c | transaction id| table file_name, action, user]
Reply
Solved! Jump to solution

guarisma
Contributor
‎10-25-2016 06:36 AM

Yes, this works.
I also found the multisearch command, any recommendations on which might be better?

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...