Solved: Transitive Transaction attributes

bleinfelder · ‎06-06-2014

Hi there,

I'm doing analysis on file transfer logs from different transfer system. I want to follow the file through the different systems, and unfortunately they change their names every now and then. Meanwhile I normalized all the relevant fields, so I have events like that:

sourcefile=aafile destfile=aafile

sourcefile=aafile destfile=bbfile

sourcefile=bbfile destfile=ccfile

sourcefile=ccfile destfile=ddfile

I want all these events grouped into one transaction. So far, with " | transaction sourcefile destfile", whenever the filename changes, a new transaction starts.

I found similar questions here, but no answer. Any help?

Regards,

Bernd

bleinfelder · ‎06-10-2014

Hi there,

I found a solution for this: Create a multivalued field that contains sourcefile and destfile and make the transaction with that field:

sourcetype=mysourcetype| eval txattrib=mvappend(sourcefile,null,destfile) | transaction txattrib

With that expression, all four events are grouped to one transaction.

Regards,

Bernd

View solution in original post

bleinfelder · ‎06-10-2014

Hi there,

I found a solution for this: Create a multivalued field that contains sourcefile and destfile and make the transaction with that field:

sourcetype=mysourcetype| eval txattrib=mvappend(sourcefile,null,destfile) | transaction txattrib

With that expression, all four events are grouped to one transaction.

Regards,

Bernd

Transitive Transaction attributes

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!