Splunk Search

Filter results AFTER transaction function

timmy13
Communicator

I have data that requires I use "transaction" to form events. I would like to filter the resulting data by a field (Source_IP) after the transaction function. But using the where function seems to have no result.

source=*.log |transaction maxspan=10s maxpause=2 |where Source_IP="192.168.168.73"|chart........

The results still include all Source_IP's, not just the one in the where clause.

Any ideas?

Tags (2)

moesaidi
Path Finder

Seeing the same effect in 6.5.2
Trying to form events using transaction but exclude specific entries, WHERE, and SEARCH both don't seem to do anything after a transaction command.

0 Karma

yannK
Splunk Employee
Splunk Employee

After a transaction, all the fields of the transactions are merged into a single field.
if they are the same, only one is kept, if they are different, they are all concatenated.

example


search * |eval raw=_raw | table host source source_IP raw
hostA sourceA 192.168.168.73 "myrawevent"
hostA sourceA 192.168.168.10 "mysecondrawevent"

after the transastion


search | transaction |eval raw=_raw | table host source source_IP raw
hostA sourceA "192.168.168.73 192.168.198.10" "myrawevent mysecondrawevent"

so you may want to filter using wildcards, like

source=*.log |transaction maxspan=10s maxpause=2 |WHERE Source_IP="*192.168.168.73*"

or

source=*.log |transaction maxspan=10s maxpause=2 | WHERE like(Source_IP,"%192.168.168.73%")

or

source=*.log |transaction maxspan=10s maxpause=2 |search Source_IP="*192.168.168.73*"

sideview
SplunkTrust
SplunkTrust

Here are some things I would double check.

Are you sure the case is the same? Field names are case sensitive.

Does the search command also fail to filter them out? Generally I use search unless I need something that only where has, like where fooField=barField.

If you put wrap the IP in wildcards does it still fail to match? It sounds dubious but maybe the extracted value ended up with a space character on one side or the other.

0 Karma

sideview
SplunkTrust
SplunkTrust

Hmm.. Well im not positive that it's a bug, and others might still post more troubleshooting ideas, but at this point I'd send it in to support@splunk.com so they can start looking at it for you and asking around internally.

0 Karma

timmy13
Communicator

Thanks for responding Nick. Yes, I tried search as well with the same results. And I have confirmed the case. Wildcards around the IP doesn't resolve it.

To make sure, I stuck the IP address in the first part of the search and got data. Of course, searching before the transaction screws up my results.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...