Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

get hostname for each event in a transaction?

bfaber
Communicator
‎04-29-2010 02:21 AM

can I get transaction to show hostname or sourcetype for each event within? I'd like to be able to pass a transaction result to graphing software.

Currently, a transaction looks like this:

(date) Event 1
       Event 2
       Event 3

In short, I would like the splunk transaction to look like:

(date)  Event1 host=foo sourcetype=bar
        Event2 host=blat sourcetype=baz
        Event3 host=foo sourcetype=brrr

I want to then break up that transaction and hand it to a graphics engine (external to splunk) so I can visualize the transaction.

Make sense?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Lowell
Super Champion
‎05-25-2010 06:58 PM

First, I'm assuming that splunk's built in visualizations are not adequate for your requirements which is why you are asking this question. If you haven't tried this with splunk graphing tools, you may want to try that first.

Second. Keep in mind that splunk can export searches very easily to a CSV format. If your graphing tool can pull in your different fields from different CSV columns, than doing so may be an easier and more natural approach than modifying (augmenting) your raw event text.

With that out of your way, here are some thoughts on how to accomplish this within splunk:

You could almost use the collect command (basically for it's ability to take fields and turn them into "key=value" pairs), however collect does not handle raw events very well. It normally expects some kind of stats command that returns simple results (just fields with values) rather than events (which include the raw text too).

You could try using collect with it's debug mode and possibly renaming _raw to event_text (or something like that.) But if your events are multi-lined that this could look really ugly and may not even work. And the more I look at the code, the less and less I think this option will work....

So if you really need another way to accomplish this, you could consider writing your own search command which would give you the ability to do anything you want. If you chose this option, check out the following links:

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Lowell
Super Champion
‎05-25-2010 06:58 PM

First, I'm assuming that splunk's built in visualizations are not adequate for your requirements which is why you are asking this question. If you haven't tried this with splunk graphing tools, you may want to try that first.

Second. Keep in mind that splunk can export searches very easily to a CSV format. If your graphing tool can pull in your different fields from different CSV columns, than doing so may be an easier and more natural approach than modifying (augmenting) your raw event text.

With that out of your way, here are some thoughts on how to accomplish this within splunk:

You could almost use the collect command (basically for it's ability to take fields and turn them into "key=value" pairs), however collect does not handle raw events very well. It normally expects some kind of stats command that returns simple results (just fields with values) rather than events (which include the raw text too).

You could try using collect with it's debug mode and possibly renaming _raw to event_text (or something like that.) But if your events are multi-lined that this could look really ugly and may not even work. And the more I look at the code, the less and less I think this option will work....

So if you really need another way to accomplish this, you could consider writing your own search command which would give you the ability to do anything you want. If you chose this option, check out the following links:

0 Karma
Reply
Solved! Jump to solution

bfaber
Communicator
‎05-26-2010 09:18 PM

Thanks Lowell. I guess that part that is missing is this:
- Splunk transactions ROCK. I was hoping to capitalize on that without reinventing the wheel.
- I want to build a visual representation of the host path a transaction takes as it moves through my app. I can't seem to get to this detail with the transaction command as it exists today.

0 Karma
Reply
Solved! Jump to solution

bfaber
Communicator
‎04-30-2010 04:01 PM

gkanapathy: The problem is that I want to send the transaction outside of Splunk and break up each line into something graphical. As part of that graphic, I want to know the host from whence this line came.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-29-2010 05:13 PM

Are you using Splunk to assemble this transaction from individual Splunk events (using the | transaction search command)? The transaction command will already make a multivalued field, so you can just use the value of host do whatever with a statistical or MV-manipulating command.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎04-29-2010 07:40 AM

I'm not sure I understand the question, the host field should typically contain the hostname of where the event occurred, but you're probably trying to do something more focused (recommend editing the question).

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...