- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to combine multiple transactions and still see...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to combine multiple transactions and still see the events grouped by transaction?
I've created two transaction types, one named mail that finds all of the postfix events with the same queue_id; and second named spamd that finds all of the spamassassin records for a single email by using the pid and startswith and endswith criteria. I've also extracted a custom field named spamd_message_id that matches the message_id in the postfix events.
The standard flow of email through my system goes through postfix, then gets passed off to spamassassin if not rejected by an RBL, then back to postfix to be delivered to the user.
If I search like this: sourcetype=syslog | transaction name=mail, I get a list of postfix transactions as I expect. Likewise, if I search like this: sourcetype=syslog | transaction name=spamd, I get a list of spamassassin transactions.
But I can't figure out how to combine the three transactions that are all related by the message_id and spamd_message_id fields. I've put eval new_message_id=if(len(message_id)>0,message_id,if(len(spamd_message_id)>0,spamd_message_id,NULL)) before the transactions so that new_message_id can be a common field between the two transactions, but I can't find any way of combining them.
What can I do to see all of the events from the two different transaction types grouped together by new_message_id?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if this works for you
sourcetype=syslog name=mail OR name=spamd | eval messageid=coalesce(message_id, spamd_message_id) | eventstats values(pid) as pid by messageid | table _time _raw messageid pid | sort messageid
*OR*
sourcetype=syslog name=mail OR name=spamd | eval messageid=coalesce(message_id, spamd_message_id) | eventstats last(pid) as pid by messageid | stats list(_raw) as _raw list(_time) as _time by messageid pid
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This doesn't work because it's not a field named "name", but a transaction named "mail" or "spamd" that selects the information that I'm interested in. I can't seem to use the OR command to combine two transaction searches into one result. I was hoping that I could use
sourcetype=syslog | transaction name=(mail OR spamd)
at the beginning of my search, but no matter how I structure the query, I keep getting the error that "name" should not be specified more than once.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
