Splunk Search

simple question on transactions

bessery
New Member

The transaction command works with a common field across logs. how can we group multiple events which might have the same types of values (for eg. sessionid) but under a differnt field name? eg. value a0001 might be sessionid for sourcetype A but might be uid for sourcetype B.. Can this be done via tags/aliases?

Tags (1)
0 Karma

BenAveling
Path Finder

You could use a tag to select all records that have a particular value in different fields, but you'd need to tag and search for all the values you're interested in, and you'd still have the question of how to group the records.

To get the desired result, probably better to use something like this:

... | eval id = if(sessionid !="",sessionid ,uid) | transaction id

or this:

... | eval id=coalesce(sessionid ,uid) | transaction id

You can't just use "rename sessionid as uid", or "eval uid=sessionid", because rename and eval would overwrite the original values of uid.

0 Karma

jeff
Contributor

Either of these would work fine...

{your search criteria} | rename some_field as normalized_field | transaction normalized_field

{your search criteria} | eval normalized_field=some_field | transaction normalized_field

The difference between the two - "some_field" will not be available as a distinct field in the first query as it is renamed. The second will create a second field while leaving the original extracted field as part of the event.

BenAveling
Path Finder

Hi Ayn, you're right, I should have been "search b". Cut & paste error in the search, but what I said it returns is correct.

As written above, it returns nothing.

Corrected to:

 search... |  rename a as b | transaction b

it returns:

 a=1

It turns out that rename and eval do not merge, they overwrite, with null if 'a' doesn't exist.

To get the desired result you need to use something like

... | eval a_or_b = if(a!="",a,b) | transaction a_or_b

or

... | eval a_or_b=coalesce(a,b) | transaction a_or_b
0 Karma

Ayn
Legend

...but you're renaming a to b, then doing the transaction on a. Don't you want it to be b?

BenAveling
Path Finder

That doesn't seem to work for me. Transaction returns the entry with the renamed field or the eval'd field, but not the unrenamed field. It's as if the renaming has clobbered something.

i.e. given

a=1

and

b=1

Then

search... | rename a as b | transaction a

returns only

a=1
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...