- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Transaction command causing zero results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have events that come in on a webform save action that logs the value pairs of all data elements. They look something like this.
06/21/2012 06:26:18 AM
LogName=Application
SourceName=WebAsset
EventCode=10001
EventType=4
Type=Information
ComputerName=dev-web
Category=0
CategoryString=none
RecordNumber=90606
Message=Message=Save
@objId=641
@user=Admin1
@rqstrName=James Doe
@alt1RqstrName=Jane Doe
objId is the key value for the records.
I am trying to display changes per objId over time, but only if there are changes.
sourcetype="WinEventLog:Application" "SourceName=WebAsset" | stats count as events by a_objId | eval include = if(events > 1,1,0) | search include=1
This query works fine and returns all expected results and all fields are still available.
When I add transaction a_objId to the end, it returns zero results.
sourcetype="WinEventLog:Application" "SourceName=WebAsset" | stats count as events by a_objId | eval include = if(events > 1,1,0) | search include=1| transaction a_objId
Running this search shows multiple raw events for the objId still in the results.
sourcetype="WinEventLog:Application" "SourceName=WebAsset" a_objId=<value> | stats count as events by a_objId | eval include = if(events > 1,1,0) | search include=1
This search returns the desired results, just not filtered for for objIds with multiple events.
sourcetype="WinEventLog:Application" "SourceName=WebAsset" | transaction a_objId
Any ideas on what I am doing wrong here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you're going to have trouble using transaction after a summarizing command like stats. Can you use the eventcount field of transaction to do what you want?
sourcetype="WinEventLog:Application" "SourceName=WebAsset" | transaction a_objId | where eventcount > 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you're going to have trouble using transaction after a summarizing command like stats. Can you use the eventcount field of transaction to do what you want?
sourcetype="WinEventLog:Application" "SourceName=WebAsset" | transaction a_objId | where eventcount > 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You sir, have solved my dilemma. Thank you.
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
