Hello Splunkers,
I'm using JOIN expression to classify a type of errors. I want to have all errors classified like an eventtype to make searches, charts easier to future users.
For example 2 events:
1.First event has got the name(for example=xError) of process and its ID_Number (for example = 999).
2.Second event has got an information about exception -> "Caught exception" and same ID_Number = 999.
Edit: I want to have second event marked as eventtype=xError.
My search:
index="test" Caught exception | JOIN ID_Number [searches index="test" xError]
How it export to eventtype or something else ? Message: Eventtype search string cannot be a search pipeline or contain a subsearch
I would like to have these results have in event type or as "intresting field". It is possible to do that? How ???
I would be grateful for help!!!
Regards
... View more