Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Joining Transactions

Hazel
Communicator
‎04-27-2010 05:01 PM

Hello,

I have two searches that use transactions to get part of a table of results that I want.

Firstly, 

index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "*sample*" | transaction instance | fields instance, application, config | fields - _time

This brings me a table, eg

App1     Result1
         Result2 exampletext
         Result3

App2     Result4 A text
         Result5 b
         Result6 c

And a second, which produces similar for a different sourcetype

index="ems" sourcetype="factoryconfig" | search NOT "" | strcat factoryName " - " url " - " type factoryconfig | fields instance, application, factoryconfig | transaction instance

App1    Connection1 details
        Connection2 details
        Connection3 details

App2    Connection4 details
        Connection5 details
        Connection6 details

What i want to do, is join the two searches

 index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "sample" | transaction instance | fields instance, application, config | fields - _time | join max=0 instance [search index="ems" sourcetype="factoryconfig" | strcat factoryName " - " url " - " type factoryconfig | fields instance, application, factoryconfig | transaction instance]

To get a table such as

App1     Result1               Connection1 - url - type
         Result2 exampletext   Connection2 - url - type
         Result3               Connection3 - url - type

App2     Result4 A text        Connection4 - url - type
         Result5 b             Connection5 - url - type
         Result6 c             Connection6 - url - type

But, when I do a join, it messes up the formatting and i get this, ie it gets rid of my nice formatting. Does anyone know why?

App1     Result1 Result2 example text Result3   Connection1 - url - type Connection2  - url - type Connection3 - url - type

App2     Result4 A text Result5 b Result6 c       Connection4 - url - type  Connection5  - url - type Connection6 - url - type
Reply

Paolo_Prigione
Builder
‎07-20-2010 12:41 PM

Hi Hazel, it seems like you lost the "multivalue" property for those fields. Have you tried to force a:

... | makemv delim="<proper delimiter>" factoryconfig | makemv delim="<proper delimiter>" config

at the end of the search string? You might have to cook a delimiter into the original fields to be able to split them at the end of the search string.

I was able to obtain a messed up table as in your example with this query:

index="test" earliest=-10d 
| rex field=source "(?<path>(\w+\\\\)+)" 
| bucket _time span=10m 
| transaction path 
| fields host, path, source 
| fields - _time 
| join s max=0 
    [search index="test" earliest=-10d 
    | rex field=source "(?<path>(\w+\\\\)+)" 
    | rex field=source "(?<filename>[^\\\\]+)$" 
    | bucket _time span=10m 
    | transaction path 
    | fields host, path, source, filename 
    | fields - _time]

And was able to restore the multivalues by appending this at the end:

... | table host source path filename
| makemv delim=" " source 
| makemv delim=" " filename

Hope that helped you out a bit

Reply

Hazel
Communicator
‎06-03-2010 02:23 PM

index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "sample" | transaction instance | fields instance, application, config | fields - _time | join max=0 instance [search index="ems" sourcetype="factoryconfig" | strcat factoryName " - " url " - " type factoryconfig | fields instance, application, factoryconfig | transaction instance]

0 Karma
Reply

Lowell
Super Champion
‎06-03-2010 01:20 PM

Can you add to your post the search that you are using to do the join. I see the two base searches, but there could be an issue with how you are using the join search command that would help reveal the issue.

0 Karma
Reply

Lowell
Super Champion
‎06-02-2010 01:26 PM

Hazel, is this still an open issues for you? I don't fully get what you are asking, but I'm wondering if your Using Multiple stats list question was part of the answer to this question as well.

0 Karma
Reply

Hazel
Communicator
‎06-03-2010 07:59 AM

Hi, yes I was still hoping for an answer for this one - might raise a support case. In this one, I get the data fine, but the question is to do with the formatting. As you can see in my two separate searches, it is formatted nicely on multiple lines, but when I join the searches, you lose this feature.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...