Join Earlier Joins with Later

grex2595 · ‎12-07-2018

I'm doing a join where I want to only get subsearch events that happened before the parent search event. Thus, I'm using:

txnEnd | spath output=custID path=path | join custID [search txnStart | spath output=amount path=path] | table custID, amount

Since txnEnd comes after txnStart , I'm using join's default usetime=true earlier=true. Whether or not I explicitly state these values, I am getting records on the table where txnStart happens after txnEnd (tested by getting the _time of each event and displaying the difference between them).

Why doesn't Splunk only join on the earlier events? What can I do to make it so that txnEnd will only join with events from txnStart that happened before txnEnd ?

Edit

I thought I might mention that the same custID applies to multiple txnEnds and multiple txnStarts. The two events do not have a unique ID that will tie them together, so I have to determine which txnStart belongs to txnEnd based off of which txnStart with the same custID happened the most recently before txnEnd.

nagarjuna280 · ‎12-08-2018

First group all events together, don't use joins.

Pull transaction start and end, If you have these two events in different index OR sourcetypes, then append transaction start events to end using append command

| transaction custID startswith="something which is in transction start events" endwith="something which is in transction end events"

go through Transaction command in Splunk doc, you get to know how to use this command

Join Earlier Joins with Later

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms