I have data that requires I use "transaction" to form events. I would like to filter the resulting data by a field (Source_IP) after the transaction function. But using the where function seems to have no result.
source=*.log |transaction maxspan=10s maxpause=2 |where Source_IP="192.168.168.73"|chart........
The results still include all Source_IP's, not just the one in the where clause.
Any ideas?
Seeing the same effect in 6.5.2
Trying to form events using transaction but exclude specific entries, WHERE, and SEARCH both don't seem to do anything after a transaction command.
After a transaction, all the fields of the transactions are merged into a single field.
if they are the same, only one is kept, if they are different, they are all concatenated.
example
search * |eval raw=_raw | table host source source_IP raw
hostA sourceA 192.168.168.73 "myrawevent"
hostA sourceA 192.168.168.10 "mysecondrawevent"
after the transastion
search | transaction |eval raw=_raw | table host source source_IP raw
hostA sourceA "192.168.168.73 192.168.198.10" "myrawevent mysecondrawevent"
so you may want to filter using wildcards, like
source=*.log |transaction maxspan=10s maxpause=2 |WHERE Source_IP="*192.168.168.73*"
or
source=*.log |transaction maxspan=10s maxpause=2 | WHERE like(Source_IP,"%192.168.168.73%")
or
source=*.log |transaction maxspan=10s maxpause=2 |search Source_IP="*192.168.168.73*"
Here are some things I would double check.
Are you sure the case is the same? Field names are case sensitive.
Does the search
command also fail to filter them out? Generally I use search
unless I need something that only where
has, like where fooField=barField
.
If you put wrap the IP in wildcards does it still fail to match? It sounds dubious but maybe the extracted value ended up with a space character on one side or the other.
Hmm.. Well im not positive that it's a bug, and others might still post more troubleshooting ideas, but at this point I'd send it in to support@splunk.com so they can start looking at it for you and asking around internally.
Thanks for responding Nick. Yes, I tried search as well with the same results. And I have confirmed the case. Wildcards around the IP doesn't resolve it.
To make sure, I stuck the IP address in the first part of the search and got data. Of course, searching before the transaction screws up my results.