I have a log file that is writing session data for users using an application in a csv format. The session data provides information about each transaction using "Meta" events and action information (Page Loads, Application Initialization). The sessionId is common to both types of events and is used to link the events. There is a one to many relationship between the action events and the meta events. (Each Action Event will have many Meta Events associated with it.)
I want to write a search that will add the information provided from the Meta information to the action information. I started using a join, but after running the search it looks like the search is only pulling back the meta information from the first meta tag. I have been able to push this data to Hadoop and run Ruby to "Sessionize" the data, but I want to be able to do this directly in Splunk.
Below is the join search. Is "Join" the right search to create a one to many relationship? Can I create a Subtable of Meta Data to each action event?
index=prod_ui sourcetype=ui_instrumentation Type=init OR Type=view | rename Type AS Type1 | rename SubjectName AS SubjectName1 | rename DataValue AS DataValue1 | table _time, SessionId, Type1, SubjectName1, DataValue1, Duration | join SessionId [search index=prod_ui sourcetype=ui_instrumentation Type=meta | table SessionId, DataValue, SubjectName, Type]