topic Re: _time field is lost after merging events with command transaction? in Splunk Search

_time field is lost after merging events with command transaction?

edigilink — Mon, 18 Jun 2018 20:42:13 GMT

I want to merge multiple events that contains the same ID into an unique event. For example:
{id: 123 setDate: 2018-08-18 status: completed }, {id: 123 setDate: 2018-08-17 status: started }

To solve it I am using the transaction function. Therefore it seems _time is overridden by transaction.

How could I merge the events without override _time or how could I extract override after merging?

Re: _time field is lost after merging events with command transaction?

somesoni2 — Tue, 29 Sep 2020 20:05:04 GMT

When you use the transaction command, the merged raw data will have timestamp/_time value of event that occurred the earliest (min of _time). If you want to have reference to _time of other event(s) as well, create a new field (e.g. | eval Timestmap=_time OR | eval Timestmap=strftime(_time,"%F %T") based on you want to retain epoch or string formatted date) before transaction.

Also, if all you do is merge based on id field, then use a stats command instead of using transaction to merge those events together. Just include appropriate fields in stats's aggregation list.

Re: _time field is lost after merging events with command transaction?

edigilink — Tue, 19 Jun 2018 18:17:36 GMT

Hello @somesoni2, thanks for replying. Perhaps my question is not complete. I would like to keep _time so I can use in timechart (which uses _time as x-axis by default).

Re: _time field is lost after merging events with command transaction?

Sukisen1981 — Tue, 29 Sep 2020 20:08:49 GMT

Hi - Did you try what @somesoni2 suggested?
Basically, what he is trying ti say is - if you need the _time field , you need to assign to an eval function BEFORE the pipe where your _time gets lost, then you need to set _time = the field that you stored the _time value, something like this :eval k=strptime(strftime(_time,"%Y-%m-%d%H:%M:S"),"%Y-%m-%d%H:%M:%S")|....|.....|....|eval _time=k| timechart xxxxx

Re: _time field is lost after merging events with command transaction?

edigilink — Wed, 18 Jul 2018 16:26:05 GMT

Hello @Sukisen1981. Sorry for the delay. Yes, I tried and it worked! Thanks

Re: _time field is lost after merging events with command transaction?

woodcock — Wed, 18 Jul 2018 17:41:05 GMT

I would avoid transaction completely. You can do much the same thing like this and it scales better:

Your Base Search Here
| stats list(_raw) AS _raw range(_time) AS duration min(_time) AS _time max(_time) AS end_time values(foo) AS foo other stuff here BY id