Is using the transaction command an overkill in th...

jliu531 · ‎12-17-2018

If I have two searches as below (uniqueId is a common field exists in both searches, while field1, field2 are unique fields only applying to it search)

EVENT_CONTAIN_SOME_KEYWORD | table uniqueId, field1
EVENT_CONTAIN_ANOTHER_KEYWORD | table uniqueId, field2

Then i can use the transaction command to combine the table (it is safe to assume there are only one field1 and one field2 for every uniqueId)

EVENT_CONTAIN_SOME_KEYWORD  OR EVENT_CONTAIN_ANOTHER_KEYWORD
| transaction  uniqueId
| table uniqueId, field1, field2

I am not using any of those startswith / endswith / maxspan / maxpause args really.
Is there a way to avoid using transaction, and make my query more efficient?

Thanks!

richgalloway · ‎12-17-2018

Try stats.

EVENT_CONTAIN_SOME_KEYWORD OR EVENT_CONTAIN_ANOTHER_KEYWORD
| stats values(field1) as field1, values(field2) as field2 by uniqueId
| table uniqueId, field1, field2

---
If this reply helps you, Karma would be appreciated.

Is using the transaction command an overkill in this case?

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI

Join the Conversation

Is using the transaction command an overkill in this case?

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Splunk Observability for AI