|
Hi, I have three indexes that I'm trying to build a transaction from. the first two indexes each have a field named User_Name, which makes the transaction statement pretty easy. This creates the base transaction I'm looking for. The first index also has a field called ip. What I want to do is use this field to retrieve the events from the third index into the first transaction (unfortunately the User_Name field does not exist in the third index). I've tried so many different searches, all never result in a transaction containing all the pertinent records. Any thoughts on how to create this type of transaction? Thanks!! |
|
Maybe this isn't the best place to ask this question but I'll try anyway. Can I transaction span multiple indexes and multiple sourcetypes? It seems like it can but I thought I would ask to verify it. Curt Curtgan, Yes, this isn't the right place, you should really have started a new question. But the answer to your question is, yes, transaction doesn't care so long as the time settings and field are right.
(28 Sep '11, 13:22)
sdwilkerson
|
What does your data look like? Is the username completely missing from the third index, or just not extracted into that field?
The username field does not exist from the third index.
What fields do exists in the third index that might be used to unite those events with events from one of the first two indexes? A subsearch or double-transaction might work.