Splunk Search

How to create a transaction that startswith=(something!="(null)") endswith=(something="(null)")

ib_321
New Member

My goal is to create a transaction that ends with customerId being "(null)" and starts with customerId being something other than "(null)". Here is my query:

... | transaction deviceId startswith=(customerId!="(null)") endswith=(customerId="(null)") maxspan=10m | stats count by deviceId

When I inspect the resulting list of deviceIds, none of them meet the criteria that I wanted for my transaction--none of them go from customerId!="(null)" to customerId="(null)". I have tried reversing the log ... | reverse | transaction ..., but I get the same result.

The only explanation I have come up with is that this has something to do with comparison to "(null)"--that in the end customerId will always be "(null)" after the last event--but this query compares customerId to the string "(null)" so that doesn't make sense.

Any help would be greatly appreciated. Thanks in advance.

Tags (2)
0 Karma

493669
Super Champion

Hi @ib_321,
before transaction command add | fillnull which will fill all null values by zero
try below:

...| fillnull| transaction deviceId startswith=(customerId!="0") endswith=(customerId="0") maxspan=10m | stats count by deviceId
0 Karma

ib_321
New Member

Thank you for your response. This didn't resolve the issue.

I don't think fillnull, replaces "(null)". For example,

... | fillnull | search customerId="(null)"

returns a bunch of events.

0 Karma

ddrillic
Ultra Champion

Interesting, the documentation at fillnull

says -

... | fillnull

-- For the current search results, fill all empty fields with zero.

0 Karma

493669
Super Champion

ohhk..i thought its null field but it's a string (null)
Try below:

... | transaction deviceId startswith=(customerId!="(null)") endswith=eval(match(customerId, "(null)")) mvlist=true maxspan=10m | stats count by deviceId
0 Karma

ib_321
New Member

That seems to have solved my problem. Thank you!

Can you explain why this query worked while mine didn't?

0 Karma

493669
Super Champion

I think your query will also work just add mvlist=true

... | transaction deviceId startswith=(customerId!="(null)") endswith=(customerId="(null)") mvlist=true maxspan=10m | stats count by deviceId

The mvlist attribute controls whether the multivalue fields of the transaction are (1) a list of the original events ordered in arrival order or (2) a set of unique field values ordered lexigraphically. If a comma- or space-delimited list of fields is provided, only those fields are rendered as lists.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...