I am facing a problem with doing a transaction search across multiple logs (11 different sourcetypes) based on the example below.
I will simplify the scenario to just 4 sourcetypes for illustration purposes
sourcetype="web-access-logs" Common fields: Username, IP_address
sourcetype="application-logs" Common fields: Username, transaction_id
sourcetype="third-tier-app-logs" Common field: transaction_id
sourcetype="bmc-error-logs" Common field: Username
Is there a way to craft a transaction search to pull out all events?
In sourcetype="web-access-logs"
I will want to pull out all activities based on the IP_address, as there will be no Username before the User logs into the portal and can only be tracked via the IP address until he logs in and the Username will appear, only then will we be able to link in the Username into the search.
Ultimately we are looking at having all the results using the indirect linkages to form a transaction for troubleshooting purposes
I tried a search as below
sourcetype="*" | transaction fields IP_address,Username,transaction_id connected=f maxspan=1h maxpause=35m |search transaction_id="123456789"
Unfortunately it is not working.
... View more