Splunk Search

How to write a search to merge logs with transaction where OR if?

jrodriguezap
Contributor

Hi there
A query, you can do something like a "transaction where"
For example, all of the following logs, merged with the exception of those with the "dst" field

Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 sender=jorge@domain.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 subject="regards"
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 size=452132
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=luis@example.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=jhon@example.com
Aug 27 17:42:40 172.24.20.35 sessionid=53f2b45b0526 dst=alex@example.com

Whereas should continue to show the logs have "dst"

PS: Skip APPEND

Tags (2)
1 Solution

OL
Communicator

Can you try:

(your search params) | eval dst=if(isnull(dst),"NULL", dst) | transaction sessionid dst

Regards,
Olivier

View solution in original post

OL
Communicator

Can you try:

(your search params) | eval dst=if(isnull(dst),"NULL", dst) | transaction sessionid dst

Regards,
Olivier

OL
Communicator
0 Karma

jrodriguezap
Contributor

Hi OL
A query, something that allows me to split the merged logs?
That is, after the transaction make a | where isNull(src) and those who do not have that field, I want to divide them. I tried with mvexpand but this divided field, what I want is to divide the entire log.
Maybe some command that divide through a regex

0 Karma

jrodriguezap
Contributor

haha!
It was so simple that I forgot that I could be.
thank you very much

0 Karma

jrodriguezap
Contributor

Hi Thanks
I need to have merged all logs that do not have the "dst" field, but must be followed showing those who do have

0 Karma

jeremiahc4
Builder

this looks like a very simple transaction on the sessionid, if you don't want dst, then you could just throw a NOT in there;

(your search params) dst!=* | transaction sessionid

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are there any other field based on which you need to merge them?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...