I have two types of transactions, one coming from a mobile app when a push notification is sent, looks approx like this:
TIMESTAMP="2016-03-29 23:39:01" DDSDKAppEventPushNotificationDelivered Msg=536 UID=101053 DEVICE=galaxys6 IP=XXX
and events from a shopping cart system, where that user has placed an order, that look approx like this:
04/04/2016:15:26:15 TRANSPAYMENT SYSTEM=DD LABEL=1 MERCHANTID=XXX REGISTER=1 LOGIN=125451 TICKET=XXX PAID=YES PAYMETHOD=GIFTCARD CUSTLOYALTY=101053 ITEMS=1 SALE=2.73 DISCTYPE=FLAT DISCAMT=0.0 DISCAPPLIED=0
The **CUSTLOYALTY** field in the shopping cart is the same data as the **UID** field from the push notifications (if this was a SQL database, I would join tables on those fields). I have created a field alias for those two fields, "CUSTLOYALTY AS UID".
I've got some simple logic to separate the customers that received a push notification, coming from the mobile app log:
eval PromoRcvd = if (Msg>1,"Yes","No")
But when I try to mix fields from the mobile app log and the shopping cart log, the shopping cart fields (in this case, **SALE**) are always empty:
table UID,Msg,PromoRcvd,sum(SALE)
I thought I didn't need to explicitly join sources in Splunk in order to search across them?
↧