Hi mattbrik,
very easy way to do such a search is using stats like this:
( index=a OR index=b OR index=c ) AND ( sourcetype=sourcetype1 OR sourcetype=sourcetype2 OR sourcetype=sourcetype3 )
| stats values(*) AS * by CommonField
| do more SPL-Fu ....
You can read more about this topic here https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-join-append-or-use-of-subsearches.html
Another free advice: forget about transaction , join and use stats you will not regret it 😉 . Also, if you need transactional events, just add _time to the by clause of the stats .
Hope this helps ...
cheers, MuS
... View more