Is there any way to compare fields in transaction to find all transactions where some fields are the same or different in all events in transaction?
My transaction search:
index=ourindex sourcetype=aem_error | rex field=_raw "(\s+[^\s]+){3} \[(?<ThreadId>\S+)\]" | transaction maxpause=4m keepevicted=true ThreadId host
You can use search command to search for specific value present on absent in the transaction field.
To see if string "foo" is present in ThreadId add | search ThreadId="foo"
index=ourindex sourcetype=aem_error | rex field=_raw "(\s+[^\s]+){3} [(?
To see if string "bar" is missing in ThreadId add | search ThreadId!="bar"
index=ourindex sourcetype=aem_error | rex field=_raw "(\s+[^\s]+){3} [(?
I downvoted this post because i don't try to search transaction with specific thread id but transaction where specified filed inside it has different values
@broman,
Downvoting users should be reserved for suggestions that could be potentially harmful for someone's Splunk environment. The downvote form is supposed to be used to help educate the community to learn and improve based on context provided, which your reasoning does not.
Before engaging further in voting people's posts, read how voting etiquette works in Splunk Answers:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html
Can you give example from some sample data to explain? Like sample ThreadID and fieldX? If you have to group fields together and then work on the values of another field after joining, then stats might work better than transaction.
Please give an example so that I can make any correction if required. My intent was to state the fact that search command can be used to look through multivalued fields and equal to (=) and not equal to (!=) operators can be used for comparison with expected results.
You could do this
index=ourindex sourcetype=aem_error
| rex field=_raw "(\s+[^\s]+){3} \[(?<ThreadId>\S+)\]"
| transaction maxpause=4m keepevicted=true ThreadId host
| eval firstX=mvindex(X,0)
| where X!=firstX
This will keep only transactions where the values for field X are not all the same. To only keep transactions where the values of field X are all the same, replace the where command with this one:
| where NOT X!=firstX
It looks promising but doesn't work 😞 I have firstX in fields list but when I add last line it doesn't return anything. But Inspired by mvindex I found mvcount in documentation and write such query
index=mysource sourcetype=aem_error | rex field=_raw "(\s+[^\s]+){3} \[(?<ThreadId>\S+)\]" | rex field=_raw "(\s+[^\s]+){2} \[(?<filedX>\S+)" | transaction maxpause=4m keepevicted=true ThreadId host | eval xCount=mvcount(filedX) | where xCount!=1