I am looking for alternate way to write splunk query without using transaction Example assuming r is a unique field in both the searches (sourcetype=* "search log 1") OR (sourcetype=* "search log 2") | transaction r startswith="X" endsWith="y" maxspan=4s
Typically, stats
will be found to be your friend here
However, without seeing sample data or what actual SPL you have tried so far, any answer is mostly going to be speculation :)
I'll happily update this answer if/when you provide such, but here's a possible start:
(index=ndxA sourcetype=srctpA "search log 1" r=*) OR (index=ndxB sourcetype=srctpB "search log 2" r=*)
| stats min(_time) as begintime max(_time) as endtime values(index) as rindex values(sourcetype) a rsourcetype by r
| eval begintime=strftime(begintime,"%c"), endtime=strftime(endtime,"%c")