Splunk Search

help me with search query for my use case

sravankaripe
Communicator

index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=out | where TRANSACTION_ID=[search index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=in | dedup TRANSACTION_ID| table TRANSACTION_ID]

i have some ids in EVENT_DIRECTION=in
i need to retrieve corresponging events from EVENT_DIRECTION=out

0 Karma
1 Solution

briancronrath
Contributor

I'd recommend using transaction:

index="ABC" sourcetype="XYZ" ENV=production someservice (EVENT_DIRECTION=out OR EVENT_DIRECTION=in) | transaction TRANSACTION_ID maxspan=100s

However if you want to stick to a subsearch I'd just join the data in:

index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=out | join TRANSACTION_ID [search index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=in | dedup TRANSACTION_ID| table TRANSACTION_ID]

Just remember that with a subsearch your results can only go up to what your configured max subsearch results value is.

View solution in original post

0 Karma

woodcock
Esteemed Legend

This is exactly what you asked (ditch the where😞

index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=out [search index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=in | dedup TRANSACTION_ID| table TRANSACTION_ID]

But why not one of these instead:

index="ABC" sourcetype="XYZ" ENV=production someservice stats list(_raw) BY TRANSACTION_ID
index="ABC" sourcetype="XYZ" ENV=production someservice stats valuse(*) AS * BY TRANSACTION_ID

In any case, definitely do NOT use transaction for this use case.

0 Karma

briancronrath
Contributor

I'd recommend using transaction:

index="ABC" sourcetype="XYZ" ENV=production someservice (EVENT_DIRECTION=out OR EVENT_DIRECTION=in) | transaction TRANSACTION_ID maxspan=100s

However if you want to stick to a subsearch I'd just join the data in:

index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=out | join TRANSACTION_ID [search index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=in | dedup TRANSACTION_ID| table TRANSACTION_ID]

Just remember that with a subsearch your results can only go up to what your configured max subsearch results value is.

0 Karma

sravankaripe
Communicator

this one is working for me Thanks

index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=out | join TRANSACTION_ID [search index="ABC" sourcetype="XYZ" ENV=production someservice EVENT_DIRECTION=in | dedup TRANSACTION_ID| table TRANSACTION_ID]

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...