Splunk Search

help me with search query for my use case

sravankaripe
Communicator

index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=out | where TRANSACTION_ID=[search index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=in | dedup TRANSACTION_ID| table TRANSACTION_ID]

i have some ids in EVENT_DIRECTION=in
i need to retrieve corresponging events from EVENT_DIRECTION=out

0 Karma
1 Solution

briancronrath
Contributor

I'd recommend using transaction:

index="ABC" sourcetype="XYZ" ENV=production someservice (EVENT_DIRECTION=out OR EVENT_DIRECTION=in) | transaction TRANSACTION_ID maxspan=100s

However if you want to stick to a subsearch I'd just join the data in:

index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=out | join TRANSACTION_ID [search index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=in | dedup TRANSACTION_ID| table TRANSACTION_ID]

Just remember that with a subsearch your results can only go up to what your configured max subsearch results value is.

View solution in original post

0 Karma

woodcock
Esteemed Legend

This is exactly what you asked (ditch the where😞

index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=out [search index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=in | dedup TRANSACTION_ID| table TRANSACTION_ID]

But why not one of these instead:

index="ABC" sourcetype="XYZ" ENV=production someservice stats list(_raw) BY TRANSACTION_ID
index="ABC" sourcetype="XYZ" ENV=production someservice stats valuse(*) AS * BY TRANSACTION_ID

In any case, definitely do NOT use transaction for this use case.

0 Karma

briancronrath
Contributor

I'd recommend using transaction:

index="ABC" sourcetype="XYZ" ENV=production someservice (EVENT_DIRECTION=out OR EVENT_DIRECTION=in) | transaction TRANSACTION_ID maxspan=100s

However if you want to stick to a subsearch I'd just join the data in:

index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=out | join TRANSACTION_ID [search index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=in | dedup TRANSACTION_ID| table TRANSACTION_ID]

Just remember that with a subsearch your results can only go up to what your configured max subsearch results value is.

0 Karma

sravankaripe
Communicator

this one is working for me Thanks

index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=out | join TRANSACTION_ID [search index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=in | dedup TRANSACTION_ID| table TRANSACTION_ID]

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...