Splunk Search

Joining Transactions

Hazel
Communicator

Hello,

I have two searches that use transactions to get part of a table of results that I want.

Firstly,

index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "*sample*" | transaction instance | fields instance, application, config | fields - _time

This brings me a table, eg

App1     Result1
         Result2 exampletext
         Result3

App2     Result4 A text
         Result5 b
         Result6 c

And a second, which produces similar for a different sourcetype

index="ems" sourcetype="factoryconfig" | search NOT "" | strcat factoryName " - " url " - " type factoryconfig | fields instance, application, factoryconfig | transaction instance
App1    Connection1 details
        Connection2 details
        Connection3 details

App2    Connection4 details
        Connection5 details
        Connection6 details

What i want to do, is join the two searches

 index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "sample" | transaction instance | fields instance, application, config | fields - _time | join max=0 instance [search index="ems" sourcetype="factoryconfig" | strcat factoryName " - " url " - " type factoryconfig | fields instance, application, factoryconfig | transaction instance]

To get a table such as

App1     Result1               Connection1 - url - type
         Result2 exampletext   Connection2 - url - type
         Result3               Connection3 - url - type

App2     Result4 A text        Connection4 - url - type
         Result5 b             Connection5 - url - type
         Result6 c             Connection6 - url - type

But, when I do a join, it messes up the formatting and i get this, ie it gets rid of my nice formatting. Does anyone know why?

App1     Result1 Result2 example text Result3   Connection1 - url - type Connection2  - url - type Connection3 - url - type

App2     Result4 A text Result5 b Result6 c       Connection4 - url - type  Connection5  - url - type Connection6 - url - type

Paolo_Prigione
Builder

Hi Hazel, it seems like you lost the "multivalue" property for those fields. Have you tried to force a:

... | makemv delim="<proper delimiter>" factoryconfig | makemv delim="<proper delimiter>" config

at the end of the search string? You might have to cook a delimiter into the original fields to be able to split them at the end of the search string.

I was able to obtain a messed up table as in your example with this query:

index="test" earliest=-10d 
| rex field=source "(?<path>(\w+\\\\)+)" 
| bucket _time span=10m 
| transaction path 
| fields host, path, source 
| fields - _time 
| join s max=0 
    [search index="test" earliest=-10d 
    | rex field=source "(?<path>(\w+\\\\)+)" 
    | rex field=source "(?<filename>[^\\\\]+)$" 
    | bucket _time span=10m 
    | transaction path 
    | fields host, path, source, filename 
    | fields - _time] 

And was able to restore the multivalues by appending this at the end:

... | table host source path filename
| makemv delim=" " source 
| makemv delim=" " filename

Hope that helped you out a bit

Hazel
Communicator

index="ems" sourcetype="queueconfig" OR sourcetype="topicconfig" | multikv noheader=true | rename Column_1 as config | search NOT "sample" | transaction instance | fields instance, application, config | fields - _time | join max=0 instance [search index="ems" sourcetype="factoryconfig" | strcat factoryName " - " url " - " type factoryconfig | fields instance, application, factoryconfig | transaction instance]

0 Karma

Lowell
Super Champion

Can you add to your post the search that you are using to do the join. I see the two base searches, but there could be an issue with how you are using the join search command that would help reveal the issue.

0 Karma

Lowell
Super Champion

Hazel, is this still an open issues for you? I don't fully get what you are asking, but I'm wondering if your Using Multiple stats list question was part of the answer to this question as well.

0 Karma

Hazel
Communicator

Hi, yes I was still hoping for an answer for this one - might raise a support case. In this one, I get the data fine, but the question is to do with the formatting. As you can see in my two separate searches, it is formatted nicely on multiple lines, but when I join the searches, you lose this feature.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...