![]() ![]() Usually however you find that's not what you need and rather you just need various statistics and bits of text from the overall set of conjoined/conglommified events. The transaction command is good for the use cases where, at the end of the day you need the actual multiline raw text of the various events all stuck together. Instead you just mash them together from the very beginning with a big OR: host="srchhost*" src="/path/to/tomcat/log/qlogs/*" ( NumberOfMatches<0 OR Request_1 )Īnd then you pipe to transaction or to stats to put the mess together sensibly: host="srchhost*" src="/path/to/tomcat/log/qlogs/*" ( NumberOfMatches<0 OR Request_1 ) | transaction id You have to get away from old SQL-ish ideas of joining two different datasets. This is a very common stumbling block when you're first getting started. I just can't do it in a single search pipeline. I can get the TextQuery values for a given ID. I then want to return the TextQuery field for every one of those IDs. So I ask for a result set of id values for zero matches. I want to know what TextQuery people used that returned zero NumberOfMatches. I have a field id that is common to the search and the result set. I think I'm not looking at the problem the right way and am hoping someone out there can put me on the right path. Host="srchhost*" src="/path/to/tomcat/log/qlogs/*" NumberOfMatches < 0 | transaction id I've tried several variations of the following (with both the transaction command and join command: If I try to look for transactions with specific attributes, I don't get the results I"m expecting. The transactions marry up correctly by id. If I do a simple search: host="srchhost*" src="/path/to/tomcat/log/qlogs/*" | transaction id So I have a field id that should be a transaction. I have some data sources in splunk that are XML formated. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |