Splunk Search

How do I filter a transaction search based on the number of events in each transaction?

MikeRose
Explorer

I want to group search results by user & src_ip (eg. via "transaction) however I only want to display results where there is more than x events per transaction. I can't find in the documentation whether the transaction grouping creates any variable I can then subsequently filter on.

Eg.

index=os sourcetype=syslog process=sshd Invalid | transaction user src_ip | ...?

1 Solution

MikeRose
Explorer

Found it:

index=os sourcetype=syslog process=sshd Invalid | transaction user src_ip | search eventcount>1

View solution in original post

MikeRose
Explorer

Found it:

index=os sourcetype=syslog process=sshd Invalid | transaction user src_ip | search eventcount>1

MuS
SplunkTrust
SplunkTrust

Hi MikeRose

after a transaction, all the transaction fields are merged into a single field.
only one is kept, if they are the same. if they are different, they are all concatenated.

example

search * | eval raw=_raw | table host source source_IP raw hostA sourceA 
192.168.168.73 "myrawevent" hostA sourceA  192.168.168.10 "mysecondrawevent"

becomes the transastion

search | transaction | eval raw=_raw | table host source source_IP raw hostA
 sourceA "192.168.168.73 192.168.198.10" "myrawevent mysecondrawevent"

so you may want to filter using wildcards, like

index=os sourcetype=syslog process=sshd Invalid | transaction user src_ip | WHERE src_ip="*192.168.168.73*"

or

index=os sourcetype=syslog process=sshd Invalid | transaction user src_ip | WHERE like(src_ip,"%192.168.168.73%")

or

index=os sourcetype=syslog process=sshd Invalid | transaction user src_ip |search src_ip="*192.168.168.73*"

cheers,

MuS

MuS
SplunkTrust
SplunkTrust

Hi MikeRose
for two reasons, my answer was useful.
1. if you don't know what happens to fields in transactions, you are not able to 'filter' anything.
2. One of my examples provided the solution for you 😉

cheers,
MuS

0 Karma

MikeRose
Explorer

There is no need to take it personally or get upset, I was being objective. I down-voted your answer because it was not useful and didn't address the question. As you can see ("...where there is more than x events per transaction"), my original question is about filtering transactions by number of events, not how fields are handled in transactions. I wasn't passing judgement on you personally.

0 Karma

MuS
SplunkTrust
SplunkTrust

wow, bad day today? I was just trying to help and explain how the fields are handled in transaction.

MikeRose
Explorer

I think you misunderstood me. Your suggestions are not helpful. I wanted to filter the resulting list of transactions based on the number of events per transaction

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...