Search code examples
splunksplunk-query

Avoid using Transaction in splunk queries


I am looking for alternate way to write splunk query without using transaction Example assuming r is a unique field in both the searches (sourcetype=* "search log 1") OR (sourcetype=* "search log 2") | transaction r startswith="X" endsWith="y" maxspan=4s


Solution

  • Typically, stats will be found to be your friend here

    However, without seeing sample data or what actual SPL you have tried so far, any answer is mostly going to be speculation :)

    I'll happily update this answer if/when you provide such, but here's a possible start:

    (index=ndxA sourcetype=srctpA "search log 1" r=*) OR (index=ndxB sourcetype=srctpB "search log 2" r=*)
    | stats min(_time) as begintime max(_time) as endtime values(index) as rindex values(sourcetype) a rsourcetype by r
    | eval begintime=strftime(begintime,"%c"), endtime=strftime(endtime,"%c")