The transaction command works with a common field across logs. how can we group multiple events which might have the same types of values (for eg. sessionid) but under a differnt field name? eg. value a0001 might be sessionid for sourcetype A but might be uid for sourcetype B.. Can this be done via tags/aliases?
You could use a tag to select all records that have a particular value in different fields, but you'd need to tag and search for all the values you're interested in, and you'd still have the question of how to group the records.
To get the desired result, probably better to use something like this:
... | eval id = if(sessionid !="",sessionid ,uid) | transaction id
or this:
... | eval id=coalesce(sessionid ,uid) | transaction id
You can't just use "rename sessionid as uid", or "eval uid=sessionid", because rename and eval would overwrite the original values of uid.
Either of these would work fine...
{your search criteria} | rename some_field as normalized_field | transaction normalized_field
{your search criteria} | eval normalized_field=some_field | transaction normalized_field
The difference between the two - "some_field" will not be available as a distinct field in the first query as it is renamed. The second will create a second field while leaving the original extracted field as part of the event.
Hi Ayn, you're right, I should have been "search b". Cut & paste error in the search, but what I said it returns is correct.
As written above, it returns nothing.
Corrected to:
search... | rename a as b | transaction b
it returns:
a=1
It turns out that rename and eval do not merge, they overwrite, with null if 'a' doesn't exist.
To get the desired result you need to use something like
... | eval a_or_b = if(a!="",a,b) | transaction a_or_b
or
... | eval a_or_b=coalesce(a,b) | transaction a_or_b
...but you're renaming a to b, then doing the transaction on a. Don't you want it to be b?
That doesn't seem to work for me. Transaction returns the entry with the renamed field or the eval'd field, but not the unrenamed field. It's as if the renaming has clobbered something.
i.e. given
a=1
and
b=1
Then
search... | rename a as b | transaction a
returns only
a=1