Splunk Search

How to write a transaction search to expand multivalued fields into separate single value events?

dc595
Explorer

Hi,

I'm having difficulties expanding a multivalued Transaction event back into individual events. The overall goal is to use the Transaction command | transaction Device SessionID maxpause=300s nullstr="~" mvlist=t delim="','"to create a common key between time based events from 3 different indexes, then save those grouped events into a summary index, as displayed in the picture below.

alt text

With multivalued fields I'm having difficulties grouping a field with another **i.e. TransactionName ** with its respective *** Timestamp.***
I would like to separate each multivalued row into an single value event, maintaining the fields and order.

I can provide more detail if required

Thank you in advance

0 Karma
1 Solution

sundareshr
Legend

First, You will have to combine them into a single field using mvzip. Then expand them in to individual rows using mvexpand and finally, split the fields using split() or rex. Something like this should get you started

...| transaction Device SessionID maxpause=300s nullstr="~" mvlist=t delim="','" | eval z=mvzip('data.Timestamp', mvzip(epoch, mvzip(delta, mvzip(TransactionName mvzip(Opcode, mvzip(SequenceSent, SequenceReceived)))))) | mvexpand z | rex field=z "(?<timestamp>[^,]+),(?<epoch>[^,]+),(?<delta>[^,]+),(?<TransactionName>[^,]+),(?<Opcode>[^,]+),(?<SequenceSent>[^,]+),(?<SequenceReceived>[^,]+)" | fields - z - 'data.Timestamp'

View solution in original post

0 Karma

sundareshr
Legend

First, You will have to combine them into a single field using mvzip. Then expand them in to individual rows using mvexpand and finally, split the fields using split() or rex. Something like this should get you started

...| transaction Device SessionID maxpause=300s nullstr="~" mvlist=t delim="','" | eval z=mvzip('data.Timestamp', mvzip(epoch, mvzip(delta, mvzip(TransactionName mvzip(Opcode, mvzip(SequenceSent, SequenceReceived)))))) | mvexpand z | rex field=z "(?<timestamp>[^,]+),(?<epoch>[^,]+),(?<delta>[^,]+),(?<TransactionName>[^,]+),(?<Opcode>[^,]+),(?<SequenceSent>[^,]+),(?<SequenceReceived>[^,]+)" | fields - z - 'data.Timestamp'
0 Karma

dc595
Explorer

Thank you this was very helpful

0 Karma

sundareshr
Legend

@dc595, if this helped, please click accept to close it out.

0 Karma

niketn
Legend

One of the options could be to add data.Timestamp and TransactionName as new field using eval, then create transaction and print new field name. Provided data.Timestamp is string time and not epoc. If it is epoc then use strftime command after your base search.

<your base search> | eval data.Timestamp=strftime(data.TimeStamp, "%Y-%m-%d %H:%M:%s.%3N) | eval TransactionTimeAndName= data.TimeStamp + " - " + TransactionName |  fields - data.Timestamp TransactionName | transaction Device SessionID maxpause=300s nullstr="~" mvlist=t delim="','" | <your remaining search> 

Ideally you should use stats instead of transaction. Following is a sample of stats:

stats count as eventcount values(TransactionTimeAndName) as "Transaction Time and Name" min(_time) as MinTime max(_time) as MaxTime by Device SessionID | eval duration=MaxTime-MinTime |
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

dc595
Explorer

The mvzip approach is what I was trying to accomplish, but thank you for your response it's very helpful

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...