https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398275#M115524 <P>Does this work:</P> <PRE><CODE>|rex "serial\s(?&lt;SERIALNUMB&gt;\d+)" </CODE></PRE> Tue, 28 May 2019 19:14:02 GMT jodyfsu 2019-05-28T19:14:02Z https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398271#M115520 <P>Sample data:</P> <PRE><CODE>May 25 01:51:14 ns1 named[32063]: zone somezone.net/IN/default: notify from 192.168.10.20#31830: serial 558310538 May 25 03:16:17 ns1 named[32063]: zone somezone.net/IN/default: transferred serial 558310538: TSIG 'view12345' </CODE></PRE> <P>My issue is, without using the serial number which I've not been able to map to the same field name, the data won't be tracked correctly in a transaction. I get transactions with serial number that don't match. I need to know how long it took the DNS to notify then transfer somezone.net for the same exact serial number.</P> Tue, 28 May 2019 16:44:34 GMT https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398271#M115520 pkcbailey 2019-05-28T16:44:34Z https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398272#M115521 <P>Here was the query I started with: index=dns host=ns1 ((notify AND serial) OR serial) somezone.net |transaction zonename startswith=notify endswith=transferred |where duration&gt;600 |table duration</P> Tue, 28 May 2019 16:47:04 GMT https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398272#M115521 pkcbailey 2019-05-28T16:47:04Z https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398273#M115522 <P>Before we address the transaction, you say, "without using the serial number which I've not been able to map to the same field name,"...</P> <P>Will a rex not work to get you the serial number, then you could use the serial number for the transaction?</P> Tue, 28 May 2019 18:22:52 GMT https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398273#M115522 jodyfsu 2019-05-28T18:22:52Z https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398274#M115523 <P>I'm not sure how to rex that into a single value.</P> Tue, 28 May 2019 19:01:46 GMT https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398274#M115523 pkcbailey 2019-05-28T19:01:46Z https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398275#M115524 <P>Does this work:</P> <PRE><CODE>|rex "serial\s(?&lt;SERIALNUMB&gt;\d+)" </CODE></PRE> Tue, 28 May 2019 19:14:02 GMT https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398275#M115524 jodyfsu 2019-05-28T19:14:02Z https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398276#M115525 <P>None of the rex code folks have provided group the transaction with the same serial number yet.</P> Wed, 29 May 2019 13:56:50 GMT https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398276#M115525 pkcbailey 2019-05-29T13:56:50Z https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398277#M115526 <P>Try this: </P> <PRE><CODE>index=dns host=ns1 ((notify AND serial) OR serial) somezone.net |rex "\s+serial\s+(?&lt;serial_test&gt;\d+)" | transaction serial_test,zonename max_events=2 startswith=notify endswith=transferred| where duration&gt;600 |table duration </CODE></PRE> Sun, 02 Jun 2019 17:17:58 GMT https://community.splunk.com/t5/Splunk-Search/Find-duration-on-transaction-where-field-name-doesn-t-match/m-p/398277#M115526 aromanauskas 2019-06-02T17:17:58Z