Solved: How do I use transaction to extract my required in...

jwindley_splunk · ‎03-26-2018

I'm very new to Splunk and need to get some details about a transaction which spans multiple events. Am trying to get my head around how transaction works or if this can even be done without using transaction.

Sample logs:

Feb 18 21:45:15 smtp2 sm-mta[9562]: l1J3iwHw009562: to=, delay=00:00:17, pri=14653393, stat=Message exceeds maximum fixed size (8000000)

Feb 18 21:45:15 smtp2 sm-mta[9562]: l1J3iwHw009562: message size (14623393) exceeds maximum (8000000)

Feb 18 21:45:15 smtp2 sm-mta[9562]: l1J3iwHw009562: from=, size=14623393, class=0, nrcpts=1, msgid=64db010c0702181944g15241075qf40af0a1cb398e30@mail.example.com, proto=ESMTP, daemon=MTA, relay=wr-out-0506.example.com [64.233.184.225]

Flow of what needs to be achieved:
1. Search for an event where stat!=Sent.
2. Search for all other (2) events with the same qid (l1J3iwHw009562).
3. Extract other information from the transaction such as msgid, size, from, to

I have tried a variety of different things but really think this should return what I want, but it does not.

index=maildata | transaction qid startswith="stat!=Sent" endswith="msgid=*"

Thanks in advance

elliotproebstel · ‎03-27-2018

Based on the discussion from the other answer, I have a suggestion:

index=maildata 
| stats first(stat) AS stat, values(msgid) AS msgid, values(size) AS size, values(from) AS from, values(to) AS to by qid
| search stat!="Sent"

View solution in original post

damode · ‎08-21-2019

Hi, were you able to properly identify and extract the time format for this event ?

elliotproebstel · ‎03-27-2018

Based on the discussion from the other answer, I have a suggestion:

index=maildata 
| stats first(stat) AS stat, values(msgid) AS msgid, values(size) AS size, values(from) AS from, values(to) AS to by qid
| search stat!="Sent"

jwindley_splunk · ‎03-28-2018

I really appreciate your help and can now see how this is better than transaction. Thank you

richgalloway · ‎03-26-2018

Try this variation on your query.

index=maildata | transaction qid startswith=eval(stat!="Sent") endswith="msgid="

Here's a similar query that doesn't use transaction.

index=maildata | stats values(msgid) as msgid, values(size) as size, values(from) as from, values(to) as to by QID

---
If this reply helps you, Karma would be appreciated.

jwindley_splunk · ‎03-26-2018

Thanks Rich. Unfortunately neither of those are returning results for me. Interesting that it can be done with stats, that would greatly improve the search time indeed.

elliotproebstel · ‎03-26-2018

Does the latter return results for you if you replace QID with qid? Splunk is case-sensitive about field names. You referenced it in one place in caps and another place in lower-case, so I thought I'd toss this out.

If not, that suggests that maybe your field extractions aren't functioning as expected.

jwindley_splunk · ‎03-26-2018

Apologies, yes I tried with lower case qid and it did work. However, it needs to return details about a session (qid) only if the session contains an event where stat!=Sent. This answer returns everything back.

How do I use transaction to extract my required information?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life