Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multiple events returned in a single transaction - possible to create a single row in a table/csv file?

the_wolverine
Champion
‎10-22-2010 08:43 PM

I've got a transaction that returns 2 events. Originally these are 3 events but the transaction has combined 2 of them (I assume since they are from the same index/sourcetype.) When I output the fields (via outputcsv), I get 3 rows. Is it possible to have the output returned as a single row - as in a single transaction?

Here's an example of my search:

(index=corp OR index=mail) (sourcetype=fireeye OR sourcetype=imap) (fenotify=* OR Machine=*) 
  | transaction fenotify src_host connected=f maxspan=5m maxpause=5m 
  | fields + Date,Machine,src_ip,Subject,cef_dvendor,sname,dest_cnc_name,dest_cnc_channel_user_agent
0 Karma
Reply

southeringtonp
Motivator
‎10-23-2010 12:01 AM

IIRC, the call to fields with the plus sign won't get rid of the reserved fields. I'm guessing you're also still seeing _raw, _cd, and friends in the CSV?

Try adding a call to:

| fields - _*
0 Karma
Reply

the_wolverine
Champion
‎10-25-2010 03:53 PM

I'm not seeing any unspecified fields with this search but the issue is that the fields returned show up in multiple rows because these are actually multiple events

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...