Splunk Search

problem with transaction and inputlookup

cpuppet
Path Finder

i think i am stuck on this certain for some reason that my head isn't working right when thinking about this problem

i have a bunch of web logs that i need to sort out with a certain field (lets say XID) that is only inserted in 1 or 2 lines out of the xxx lines in a complete web transaction
this web transaction can be defined with an SID for our transaction command
however, i need to find all the transactions that includes n numbers of XID that i have created in a list of XID lookup table

my original search
sourcetype="web_log" [inputlookup xid_lookup.csv | fields XID] | transaction SID

the problem of this search is that it will only given the result of the lines that has the XID in my lookup table
but what i really want to do is to list out all the lines in transaction by the SID that includes XID in my lookup table only

is it possible to do so?

Tags (2)
0 Karma
1 Solution

Ayn
Legend

Just move the subsearch filter so that it is used after the transactions are created.

sourcetype="web_log" | transaction SID | search [| inputlookup xid_lookup.csv | fields XID] 

View solution in original post

Ayn
Legend

Just move the subsearch filter so that it is used after the transactions are created.

sourcetype="web_log" | transaction SID | search [| inputlookup xid_lookup.csv | fields XID] 

cpuppet
Path Finder

Ayn thanks alot

i think i got where i had it worng in the first place
your | search [|inputlookup xxx] saved my trouble

what i really need...might be this to complete what we are looking for

sourcetype ="web_log" | transaction SID XID | search [|inputlookup xid_lookup.csv | fields XID]

by this i will be able to filter out the different transactions of SIDs that are included with the particular XID in my table

which will also run faster when i add the maxspan for the transaction

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...