How to Display transaction result in a table

smolcj · ‎02-05-2013

Hi,
I have a search using transaction command
mysearch | transaction startswith=start endswith=end
and I am getting several events as one event, i would like those events to be displayed in a table.

Is it possible to do so??
please help
Thank you

nmulm · ‎09-22-2017

Just to follow up as I had a similar issue, I think that you can get all the lines that each transaction returns into a single row by using _raw as your field e.g.

transaction | table _raw field1 field2 etc etc

gwallin042 · ‎04-20-2013

I think you want:

mysearch | transaction startswith=start endswith=end mvlist=t | table field1, field2, field3

By default transaction will "group" like values, mvlist tells it to display repeated values in your resulting table

The next issue i haven't figured out yet will be if you need to export the results. . .

smolcj · ‎02-07-2013

I am using this search index=main source=file.txt|transaction startswith=TM_6000 endswith=TM_6020 maxevents=10000
and my output is like
It looks so crappy and i am not able to use redirection for this ... appending a table command after transaction gives

i want it as a normal table that i can provide external links to some of the field

MuS · ‎02-07-2013

like kkolb said: provide some samples, real samples of your log events. perhaps we are then able to help.....

smolcj · ‎02-06-2013

i am not getting proper table .. the values are deduplicated , for example if the severity is info for 5 events, it will show only once, something like we used values(field) or list (field).. i am in need of exact table 😞

MuS · ‎02-06-2013

as Ayn already stated, why don't just use the table command next?

smolcj · ‎02-06-2013

My log events are like this

timestamp ... event start ..
.
....some other events
.
timestamp... event end
.
.
timestamp..another eventstart
.
.
event end

So inorder to display all the events between start and stop i used transaction command
... | transaction startswith= "event star" ends with ="event end".. but i want those events to be displayed in tables.. How could i , is there any other alternative for transaction command?
Please help

kristian_kolb · ‎02-06-2013

I think a good idea would be to provide a few sample events, and a sketch of how you want the output.

Ayn · ‎02-06-2013

So if it's the combined events you want to show, what's stopping you from using table?

smolcj · ‎02-06-2013

Ayn, combined events that transaction creates should be displayed in tables and thereafter i have to use re-director to one of the field like severity.. i need to display all the events between specific keywords that is the reason i used transaction command

Ayn · ‎02-06-2013

Which events, the pre-transaction individual events or the combined events that transaction creates?

smolcj · ‎02-06-2013

Hi,
i dont want events as multivalued as because these events can be read through transaction command i did so.
i wan them to be in tables

bellaed · ‎02-06-2013

a table command after transaction can do the job

dart · ‎02-06-2013

smolcj, can you explain your use case more fully?

Ayn · ‎02-06-2013

So you're combining multiple events into one event, then you want that event to be displayed as...multiple events again?

smolcj · ‎02-05-2013

something related to this, but i my transaction uses startwith and endswith, i need tables in expanded form, now they are displaying as if i used list() ot values() i want it to be exactly like a normal table... any thoughts????
please help

How to Display transaction result in a table

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life