Solved: Fields from transaction not displaying in table af...

thisissplunk · ‎09-18-2015

Hi,

I'm using the transaction command to combine two different events into one larger event with the user_id as the key. This works. What does not work is when I try to table the data. I cannot get an eval'ed string field to display in the table after I concat (+) the user_id field onto the end of it.

Ex:

search...
| transaction fields="user_id" maxspan=60s
| where eventcount > 1
| eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
| table message

Message is completely blank! It's because of the addition of user_id, but I cannot figure why or how to make it work. If I put user_id in the table as its own column, that displays just fine. I understand user_id is a mv field at this point, but I've tried every eval mv field operator with no success. Nomv, mvjoin, mvindex etc.

Help!

edit: Also, if I do a nomv, mvjoin or mvindex on user_id and set that to a new field OR just blah=user_id, that new field is also blank if I put it in the table! If I use mvlist=t, then a | eval test=mvjoin(user_id, " and ")..... test shows "NULL and NULL" in the table.

thisissplunk · ‎09-21-2015

Could not figure out root cause of why mv commands, . or + were not working. Used a rex on raw to manually pull the field out of the raw transaction event instead. This did work:

| rex field=_raw "user_id:(?<id>.+?)\}"

I now have an "id" field that works and displays like normal. Interestingly enough, this solution does not work when mvraw=t.

View solution in original post

thisissplunk · ‎09-21-2015

Could not figure out root cause of why mv commands, . or + were not working. Used a rex on raw to manually pull the field out of the raw transaction event instead. This did work:

| rex field=_raw "user_id:(?<id>.+?)\}"

I now have an "id" field that works and displays like normal. Interestingly enough, this solution does not work when mvraw=t.

somesoni2 · ‎09-21-2015

Could you try this

search...
  | eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + tostring(user_id)
  | transaction fields="user_id" maxspan=60s
  | where eventcount > 1 | rename user_id as mesage
  | table message

thisissplunk · ‎09-21-2015

This one didn't work either. I would of thought one of your suggestions would have. I've ended up using rex to pull the field I want from the _raw instead. This is working.

woodcock · ‎09-18-2015

Try changing the + to .

If Splunk thinks user_id is a number, it may be trying to do a mathematical addition instead of a string concatenation. Really that should probably be a bug if that is what is happening (it is fine for Splunk to guess "math" but ones that turns out not to work, it should default to "concatenation").

thisissplunk · ‎09-21-2015

This does not work either. I'm out of ideas. Is there any way to debug the fields, or anything else that can help me find a definitive answer?

somesoni2 · ‎09-18-2015

Can you try thse:-

search...
 | transaction fields="user_id" maxspan=60s
 | where eventcount > 1 | nomv user_id
 | eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
 | table message

search...
 | transaction fields="user_id" maxspan=60s
 | where eventcount > 1 | table user_id | mvexpand user_id | dedup user_id
 | eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
 | table message

thisissplunk · ‎09-18-2015

Sadly neither of those worked. message is blank but user_id is not. I've tried the other mv commands as well. Mvjoin used to work for me which is even stranger.

Is it possible the data types are not lining up? Is there a way to check this? Any other things I can do to debug and get some solid answers?

Fields from transaction not displaying in table after extra eval

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!