Hi,
I'm using the transaction command to combine two different events into one larger event with the user_id as the key. This works. What does not work is when I try to table the data. I cannot get an eval'ed string field to display in the table after I concat (+) the user_id field onto the end of it.
Ex:
search...
| transaction fields="user_id" maxspan=60s
| where eventcount > 1
| eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
| table message
Message is completely blank! It's because of the addition of user_id, but I cannot figure why or how to make it work. If I put user_id in the table as its own column, that displays just fine. I understand user_id is a mv field at this point, but I've tried every eval mv field operator with no success. Nomv, mvjoin, mvindex etc.
Help!
edit: Also, if I do a nomv, mvjoin or mvindex on user_id and set that to a new field OR just blah=user_id, that new field is also blank if I put it in the table! If I use mvlist=t, then a | eval test=mvjoin(user_id, " and ")..... test shows "NULL and NULL" in the table.
Could not figure out root cause of why mv commands, . or + were not working. Used a rex on raw to manually pull the field out of the raw transaction event instead. This did work:
| rex field=_raw "user_id:(?<id>.+?)\}"
I now have an "id" field that works and displays like normal. Interestingly enough, this solution does not work when mvraw=t.
Could not figure out root cause of why mv commands, . or + were not working. Used a rex on raw to manually pull the field out of the raw transaction event instead. This did work:
| rex field=_raw "user_id:(?<id>.+?)\}"
I now have an "id" field that works and displays like normal. Interestingly enough, this solution does not work when mvraw=t.
Could you try this
search...
| eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + tostring(user_id)
| transaction fields="user_id" maxspan=60s
| where eventcount > 1 | rename user_id as mesage
| table message
This one didn't work either. I would of thought one of your suggestions would have. I've ended up using rex to pull the field I want from the _raw instead. This is working.
Try changing the +
to .
If Splunk thinks user_id
is a number, it may be trying to do a mathematical addition
instead of a string concatenation
. Really that should probably be a bug if that is what is happening (it is fine for Splunk to guess "math" but ones that turns out not to work, it should default to "concatenation").
This does not work either. I'm out of ideas. Is there any way to debug the fields, or anything else that can help me find a definitive answer?
Can you try thse:-
search...
| transaction fields="user_id" maxspan=60s
| where eventcount > 1 | nomv user_id
| eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
| table message
search...
| transaction fields="user_id" maxspan=60s
| where eventcount > 1 | table user_id | mvexpand user_id | dedup user_id
| eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
| table message
Sadly neither of those worked. message is blank but user_id is not. I've tried the other mv commands as well. Mvjoin used to work for me which is even stranger.
Is it possible the data types are not lining up? Is there a way to check this? Any other things I can do to debug and get some solid answers?