Re: Need an alternative to transaction command for...

rijutha · ‎04-27-2017

I have a data set like the below:

2017-04-26 10:00:00 correlation_id=a1000 msg=testing1000
2017-04-26 10:02:00 correlation_id1=b1000 correlation_id=a1000 msg=testing
2017-04-26 10:03:00 correlation_id1=b1000 msg=testing1
2017-04-26 10:04:00 correlation_id1=b1000 msg=testing2
2017-04-26 10:00:00 correlation_id=a2000 msg=testing1000
2017-04-26 10:02:00 correlation_id1=b2000 correlation_id=a2000 msg=testing
2017-04-26 10:03:00 correlation_id1=b2000 msg=testing1
2017-04-26 10:04:00 correlation_id1=b2000 msg=testing2
2017-04-26 10:05:00 correlation_id1=b1000 correlation_id2=c1000 msg=testing1
2017-04-26 10:06:00 correlation_id2=c1000 msg=testing2

I need to run a query which will map correlation_id with its correlation_id1 and in turn correlation_id1 to correlation_id2. I am able to get the list of events in this manner using the transaction command. However it is making my search query slow for large data sets. What would be the best alternative to transaction for this kind of data set? Thanks in advance.

SplunkersRock · ‎04-27-2017

try this commands
streamstats, autoregress, delta, etc.

rijutha · ‎04-27-2017

Thank you, SplunkersRock. Can you please show me an example for the dataset I have given in my question above?

Need an alternative to transaction command for the following type of data set

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

Improve Data Pipelines Using Splunk Data Management

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?