Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

problem with transaction and inputlookup

cpuppet
Path Finder
‎02-29-2012 12:58 AM

i think i am stuck on this certain for some reason that my head isn't working right when thinking about this problem

i have a bunch of web logs that i need to sort out with a certain field (lets say XID) that is only inserted in 1 or 2 lines out of the xxx lines in a complete web transaction
this web transaction can be defined with an SID for our transaction command
however, i need to find all the transactions that includes n numbers of XID that i have created in a list of XID lookup table

my original search
sourcetype="web_log" [inputlookup xid_lookup.csv | fields XID] | transaction SID

the problem of this search is that it will only given the result of the lines that has the XID in my lookup table
but what i really want to do is to list out all the lines in transaction by the SID that includes XID in my lookup table only

is it possible to do so?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎02-29-2012 01:45 AM

Just move the subsearch filter so that it is used after the transactions are created.

sourcetype="web_log" | transaction SID | search [| inputlookup xid_lookup.csv | fields XID]

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎02-29-2012 01:45 AM

Just move the subsearch filter so that it is used after the transactions are created.

sourcetype="web_log" | transaction SID | search [| inputlookup xid_lookup.csv | fields XID]
Reply
Solved! Jump to solution

cpuppet
Path Finder
‎02-29-2012 02:11 AM

Ayn thanks alot

i think i got where i had it worng in the first place
your | search [|inputlookup xxx] saved my trouble

what i really need...might be this to complete what we are looking for

sourcetype ="web_log" | transaction SID XID | search [|inputlookup xid_lookup.csv | fields XID]

by this i will be able to filter out the different transactions of SIDs that are included with the particular XID in my table

which will also run faster when i add the maxspan for the transaction

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...