How do I re-insert newlines into transaction raw m...

stucky101 · ‎08-01-2022

Gurus

I am working on a Studio Dash and I would like to add the output of a transaction the way it is usually shown in the search gui for debugging purposes so I can easily see if the transaction is correct.

Turns out the only option I seem to have is a table but here I only get the raw msg. That's ugly and unreadable, of course, since the newlines are merged into one.

Is there a way to do this within a dashboard and make the message look just like in the search gui ? Perhaps I could re-insert the newlines ?

Thx

gcusello · ‎08-01-2022

Hi @stucky101,

why don't you try to avoid transaction command to have the result you want?

in other words: if you have to group events by a key (called "your_key") and you want to display three fields, instead this transaction command:

<your_search>
| transaction your_key
| table _time your_key field1 field2 field3

you could run:

<your_search>
| stats 
   earliest(_time) AS _time 
   values(field1) AS field1
   values(field2) AS field2
   values(field3) AS field3
   BY your_key

Ciao.

Giuseppe

stucky101 · ‎08-02-2022

Giuseppe

I have many transactions and some are more complex including startswith. I'm trying to extract an Infoblox zone transfer and that is proving challenging but transactions have helped a lot.

I also do the tr by more than one field. F.e. here I have extracted the zone name and then I do this"

query | rex for zone | transaction endswith="Transfer completed:" by host,zone

Besides, Im sure there are times when you definitely need a transaction and I was just wondering if you can re-format those back into the same style that the searchapp displays them.

How do I re-insert newlines into transaction raw message for dashboard?

transaction

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases