Splunk Search

Filtering Chart data after transaction function

timmy13
Communicator

Consider log entries such as the following:

20110605.132223 CONNECT misc.data 10.10.10.2 ID=12345

20110605.132298 ADD misc.data ID=12345

20110605.132298 MOD misc.data ID=12345

20110605.132298 DISCONNECT misc.data ID=12345

So, this is a transaction, but notice that only the CONNECT event has the IP. I can't group
on the ID value as it is not unique across log files. So I am using transaction to group the record
based on a time range AND the ID.

Now, there may be matches that include other IP addresses. This is because a transaction might be between 2 or more servers. So, post transaction, the resulting record from the search may have other IP's in it.

Ultimately, the purpose of the report is to count the various transaction types (CONNECT, ADD, ETC) by IP, but I only want to include 4 specific IP's in the results. So, my chart will ultimately have only 4 IP's on it.

How can I tell chart to only include the ip addresses that I specify using OR.

Tags (2)
0 Karma

lguinn2
Legend

Is the ID unique within a log file? If so, the following should work...

Assume that the ip address is extracted into a field named IP and that the transaction type is extracted as a field named transtype.

I'd break this into 2 steps: First, associate an IP address with a source + ID combination

sourcetype=yoursourcetype | transaction source, ID mvlist=true | eval reportIP = mvindex(IP,1) | table source, ID, reportIP, transtype

This will give you a table output; notice that transtype will be a list of the various transaction types that appear in the transaction. Also note that we pick up only the first IP address that appears in the transaction. Our next task is to break this back into separate events, so we can count them...

Count the number of each transaction types by IP - add this to the end of the previous search

| mvexpand transtype | stats count by reportIP, transtype

The full picture

sourcetype=yoursourcetype | transaction source, ID mvlist=true | eval reportIP = mvindex(IP,1) | table source, ID, reportIP, transtype | mvexpand transtype | stats count by reportIP, transtype

I hope this is what you wanted! Let me know if it doesn't work for you.

timmy13
Communicator

Yes Precisely. Because 10.10.10.2 might be connecting to 10.10.10.50. I only care about 10.10.10.2 thought so I want to chart on it alone and not records for .50.

0 Karma

mw
Splunk Employee
Splunk Employee

Are you saying that you could have a line in the middle of those 4 that says "... CONNECT misc.data 10.10.10.50 ID=12345"?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...