Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Append or join transactions

saradachelluboy
Explorer
‎07-20-2016 06:45 PM

Hi All,

I have two different transactions. individually it works perfect but can some one help me to append the two transactions because
the thread ,startwith and endswith everything is different for both the transactions.

index="i" sourcetype="s"  | rex "(?jmsListener\w-\d+)"  | transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"   | eval ms= duration*1000  

index="i" sourcetype="s"  | rex "(?http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+)" | transaction thread startswith="WebService Request: \<?xml" endswith="WebService Response: \<?xml" | eval ms= duration*1000

I tried to play around with transaction, I think field cann't be assigned to satrtswith/endswith

rex "(?<thread>http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+|jmsListener\w-\d+)" | 
rex "(?<transtarted>LoggingMessageConverter\s\|\srequest:|WebService\sRequest:\s\<\?xml)"|
rex "(?<tranended>LoggingMessageConverter\s\|\sresponse:|WebService\sResponse:\s\<\?xml)" |
transaction thread startswith=transtarted endswith=tranended
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-20-2016 08:07 PM

I understand that you want to combine these, but there are two problems with your initial solution:
1 - You have a syntax problem; transaction thread startswith=transtarted endswith=tranended
should be transaction thread startswith=eval(isnotnull(transtarted)) endswith=eval(isnotnull(tranended))
2 - Even with the syntax fixed, it still won't work. You could end up with a transaction that begins with a logging message and ends with a web service response. I don't think that is what you want.

Try this - it isn't very efficient, but it should work, at least for smaller datasets:

index="i" sourcetype="s"  
| rex "(?jmsListener\w-\d+)"  
| transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"   
append [ search  index="i" sourcetype="s"  
        | rex "(?<thread>http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+|jmsListener\w-\d+)"
        | transaction thread startswith="WebService Request: \<?xml" endswith="WebService Response: \<?xml"  ]
| eval ms= duration*1000

Finally, you also had a syntax error in the second rex - there is no field name. But I copied it from the other example you gave. Although I am unclear why you need either of the rex commands...

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-20-2016 08:07 PM

I understand that you want to combine these, but there are two problems with your initial solution:
1 - You have a syntax problem; transaction thread startswith=transtarted endswith=tranended
should be transaction thread startswith=eval(isnotnull(transtarted)) endswith=eval(isnotnull(tranended))
2 - Even with the syntax fixed, it still won't work. You could end up with a transaction that begins with a logging message and ends with a web service response. I don't think that is what you want.

Try this - it isn't very efficient, but it should work, at least for smaller datasets:

index="i" sourcetype="s"  
| rex "(?jmsListener\w-\d+)"  
| transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"   
append [ search  index="i" sourcetype="s"  
        | rex "(?<thread>http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+|jmsListener\w-\d+)"
        | transaction thread startswith="WebService Request: \<?xml" endswith="WebService Response: \<?xml"  ]
| eval ms= duration*1000

Finally, you also had a syntax error in the second rex - there is no field name. But I copied it from the other example you gave. Although I am unclear why you need either of the rex commands...

Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎07-20-2016 09:21 PM

Thanks a lot I tried with append. It works perfect!!!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-20-2016 06:58 PM

What all fields you're using in your final output? (or planning to use)

0 Karma
Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎07-20-2016 07:08 PM

I created thread,transtarted,& tranended using rex but these are not real fields created by splunk.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-20-2016 07:13 PM

No, I'm thinking a way to eliminate transaction command itself, but that will require the fields that you want to use in your final expected output. Do you just need _time thread and duration OR any other fields?

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎07-20-2016 07:55 PM

I agree with @somesoni2 - if we knew more, you could perhaps avoid using the transaction command altogether.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...