Transactions grouped based on Field value and star...

Dark_Ichigo · ‎03-15-2012

Using the transaction command, I want to group a number of events to obviously make up a transaction but each contains the same field value for example, Field=334334 all events with this field number should be grouped into one trnasaction but with 2 other startswith and endswith events added to it, how can this be done?

Drainy · ‎03-16-2012

I think it sounds like you want to transaction a set of events based on startswith and endswith, and also run a separate transaction based on a Field value and then append them like this;

searchquery | transaction startswith=blah endswith=bleh | join Field [searchquery | transaction Field]

I am making a few assumptions as said above, also I am assuming that they might be different datasources as otherwise you may end up with duplicate results (that you could filter with a | dedup)

kristian_kolb · ‎03-16-2012

Could you provide a sample of the log? I'd guess from the fact that you are asking that events from these transactions are can overlap each other, i.e;

Start A
Event A
Start B
Event A
Event B
Event A
End A
Event B
End B

However, the field 334334 is not present in the start/end events, right?

/k

Transactions grouped based on Field value and startswith endswith functions

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor