Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Transactions using different identifying fields

himynamesdave
Contributor
‎02-11-2015 02:37 AM

Attached is some data that you should be able to use to reproduce what I am trying to achieve.

Events.csv – extract of raw_field and sourcetype
Field extractions.txt – extract of field extractions from props.conf

I'm trying to to follow the flow of transactions using Splunk.

Transactions use different identifiers as they progress through which are: ORDER_NUMBER, CAR_PDR, CAR_PCR, PFM_PDR, PFM_PCR

I an using joins to make sense of the results:

chain=* | join PFM_PCR type=outer [search PFM_PCR=* PFM_PDR=] | join CAR_PCR type=outer [search CAR_PCR= CAR_PDR=] | join PFM_PDR type=outer [search ORDER_NUMBER= PFM_PDR=] | join CAR_PDR type=outer [search ORDER_NUMBER= CAR_PDR=*]| transaction ORDER_NUMBER

I thought I didn’t need the joins and could do the following instead:

chain=* | transaction ORDER_NUMBER CAR_PDR CAR_PCR PFM_PDR PFM_PCR

but this had the effect of creating transactions that had all the keys as the tuple for the transaction ID. So we got a transactions for (order1,car_pdr1,…), (order1,car_pdr2,…) etc

is there a better way of doing the transaction on ORDER_NUMBER that avoids all those messy joins?

example.zip
0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎02-12-2015 01:46 AM

Hi david

While not exactly what you are asking for, you might be able to get around the problem by using the stats command and list() by ORDER_NUMBER

| stats count as eventcount list(_raw) as events,list(PFM_PCR) as PFM_PCR,list(CAR_PCR) as CAR_PCR,list(PFM_PDR) as PFM_PDR,list(CAR_PDR) as CAR_PDR, range(_time) as duration by ORDER_NUMBER

After this command you can apply some conditional searching to narrow down the results to fit your outer join "criterias"

j

0 Karma
Reply

emiller42
Motivator
‎02-11-2015 09:35 AM

So transaction should be working exactly as you're expecting here. Consider:

event=1 field1=foo
event=2 field1=foo
event=3 field1=foo field2=bar
event=4 field2=bar
event=5 field2=bar

If you run |transaction field1 field2 you'll actually get a single event based containing 1 through 5. This is because it's looking for transitive relationships, and as long as there is at least one event where fields overlap, it'll consider them joined.

However, that ONLY works if you have some overlap connecting events.

Your sample data doesn't seem to include everything needed to test this. For example, there are no events that meet the EXTRACT-chain,PFM_PDR,File_name, EXTRACT-chain (PcR finished), EXTRACT-PFM_PcR,PFM_PcR_type, EXTRACT-PFM_PDR,PFM_PcR,chain,Product_name extractions from the PSM_FILE sourcetype.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...