Splunk Search

Fields from transaction not displaying in table after extra eval

thisissplunk
Builder

Hi,

I'm using the transaction command to combine two different events into one larger event with the user_id as the key. This works. What does not work is when I try to table the data. I cannot get an eval'ed string field to display in the table after I concat (+) the user_id field onto the end of it.

Ex:

search...
| transaction fields="user_id" maxspan=60s
| where eventcount > 1
| eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
| table message

Message is completely blank! It's because of the addition of user_id, but I cannot figure why or how to make it work. If I put user_id in the table as its own column, that displays just fine. I understand user_id is a mv field at this point, but I've tried every eval mv field operator with no success. Nomv, mvjoin, mvindex etc.

Help!

edit: Also, if I do a nomv, mvjoin or mvindex on user_id and set that to a new field OR just blah=user_id, that new field is also blank if I put it in the table! If I use mvlist=t, then a | eval test=mvjoin(user_id, " and ")..... test shows "NULL and NULL" in the table.

0 Karma
1 Solution

thisissplunk
Builder

Could not figure out root cause of why mv commands, . or + were not working. Used a rex on raw to manually pull the field out of the raw transaction event instead. This did work:

| rex field=_raw "user_id:(?<id>.+?)\}"

I now have an "id" field that works and displays like normal. Interestingly enough, this solution does not work when mvraw=t.

View solution in original post

0 Karma

thisissplunk
Builder

Could not figure out root cause of why mv commands, . or + were not working. Used a rex on raw to manually pull the field out of the raw transaction event instead. This did work:

| rex field=_raw "user_id:(?<id>.+?)\}"

I now have an "id" field that works and displays like normal. Interestingly enough, this solution does not work when mvraw=t.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Could you try this

search...
  | eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + tostring(user_id)
  | transaction fields="user_id" maxspan=60s
  | where eventcount > 1 | rename user_id as mesage
  | table message
0 Karma

thisissplunk
Builder

This one didn't work either. I would of thought one of your suggestions would have. I've ended up using rex to pull the field I want from the _raw instead. This is working.

0 Karma

woodcock
Esteemed Legend

Try changing the + to .

If Splunk thinks user_id is a number, it may be trying to do a mathematical addition instead of a string concatenation. Really that should probably be a bug if that is what is happening (it is fine for Splunk to guess "math" but ones that turns out not to work, it should default to "concatenation").

thisissplunk
Builder

This does not work either. I'm out of ideas. Is there any way to debug the fields, or anything else that can help me find a definitive answer?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you try thse:-

search...
 | transaction fields="user_id" maxspan=60s
 | where eventcount > 1 | nomv user_id
 | eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
 | table message

search...
 | transaction fields="user_id" maxspan=60s
 | where eventcount > 1 | table user_id | mvexpand user_id | dedup user_id
 | eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
 | table message
0 Karma

thisissplunk
Builder

Sadly neither of those worked. message is blank but user_id is not. I've tried the other mv commands as well. Mvjoin used to work for me which is even stranger.

Is it possible the data types are not lining up? Is there a way to check this? Any other things I can do to debug and get some solid answers?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...