Hello,
I'm searching doing a search in splunk for the "request_id" field. For example: request_id = "XXXXXXX"
It returns data from 2 sources. I can do a dedup and get the last event and it has everything I need except for the duration field. Is there a way I can pass the duration field and the value to another event before running dedup?
If yes, how can I do this in bulk? I have a subsearch with a table of request_id's. I use it to search for all events matching those request_id's. How can I make sure that for each individual request_id, the duration field is populated for all events?
Thanks
... View more