Good Day, I am trying to come up with ideas to translate a Sumo Trasactional search with (States) Conditions to a Splunk Query. If anyone can provide some other options, please let me know. Here is my sample Sumo search: _sourceCategory=prod/app/m/* and "statement" and ("Search Keys" or "STATUS=ERROR" or Error) | parse "[ID=*]" as MID nodrop | transactionize MID (merge MID takeFirst, _raw join with "\n\n") | transaction on ORGID, EVENT, ORDER, FACILITY with "*A request to obtain a channel subscription failed*" as NO_SUB, with "*M cannot be discontinued*" as NO_DC, with "*Person not found*" as NO_PERSON | (NO_SUB + NO_DC + NO_PERSON) as Total | fields ORGID, EVENT, ORDER, FACILITY, Total, NO_SUB, NO_DC,NO_PERSON | sort by Total, ORGID, EVENT, ORDER //| sort by ORGID, EVENT Splunk Search so far: index=hhh_m_prod sourcetype=mirth* MID=* CID=* acctnumber=* facility=* orgid=* "Statement" ("Search Keys" OR "STATUS=ERROR" OR "Error") | fillnull value="NULL" | transaction MID | eval NO_DC=if(match(_raw, "M cannot be discontinued*"), "Yes", "No") | eval NO_SUB=if(match(_raw, "A request to obtain a channel subscription failed*"), "Yes", "No") | eval NO_PERSON=if(match(_raw, "Person not found*"), "Yes", "No") | transaction ORGID EVENT ORDER FACILITY | eval Total=sum(NO_SUB, NO_DC, NO_PERSON | table ORGID, EVENT, ORDER, FACILITY, Total, NO_SUB, NO_DC,NO_PERSON | sort by Total ORGID EVENT ORDER | sort by ORGID, EVENT ** I am lost for ideas in running the conditional transaction statements... Should I use more eval statements, or setup a transactiontypes.conf?
... View more