Splunk Search

Transaction command help

somesoni2
SplunkTrust
SplunkTrust

Hi,

I am trying to use transaction command to get various calls involved to complete the transactions. In simple english a call may go like this.

App1-Func calls App2-FuncA             one event logging
App2-FuncA calls App3-FuncB          one event logging
App3-FuncB calls App4-FuncC          one event logging
App4-FuncC has exception, writes one exception event
App3-FuncB receives exception, writes one exception event
App2-FuncA receives exception, writes one exception event
App1-Func receives exception, writes one exception event

Every event has same transaction Id so I am able to club all these 7 events into using following command

index=trans or index=except | transaction transactionId 

This command, as it should, gives mulivalued fields, hence when I issue a table command, I just get unique values for each field that too sorted.

Is there any way to show all the fiels for all the events involved, in order they appear in the transaction, generating output like.

App        Called App, Called Func, Start Time, status, error Message (if status=fail)
App1           App2       FuncA        xxxx       Pass    NA
App2           App3       FuncB        yyyy       Pass    NA
App3           App4       FuncC        zzzz       Pass    NA
App3           App4       FuncC        qqqq       Fail    Something bad happened at FuncC
App2           App3       FuncB        aaaa       Fail    Something bad happened at FuncB
App1           App2       FuncA        bbbb       Fail    Something bad happened at FuncA
App1           -          Func         cccc       Fail    Something bad happened at Func
0 Karma
1 Solution

Ayn
Legend

Docs are your friend! 🙂

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

mvlist=<bool> | <field-list>
    Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. Defaults to f. 

View solution in original post

0 Karma

Ayn
Legend

Docs are your friend! 🙂

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction

mvlist=<bool> | <field-list>
    Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. Defaults to f. 
0 Karma

somesoni2
SplunkTrust
SplunkTrust

I should get my glasses fixed now 😉 Thanks, this helps.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...