topic Re: How can I remove one of event from transaction result in Splunk Search

How can I remove one of event from transaction result

henrysoon80 — Fri, 22 Mar 2019 06:32:36 GMT

Recently i create a transaction search, command and result a per below
Search command:
search | transaction SessionId srcip destip starttime mvlist=t maxspan=5m keepevicted=true

Result table as per below:

May i know how to filter/remove those SessionEstablish="Success" and SessionCode="Drop" when eventcount is more than 1 and SessionType is MultiMode?

Thanks in advance.

Re: How can I remove one of event from transaction result

DMohn — Fri, 22 Mar 2019 08:26:59 GMT

You can add a filter condition after your search like this:

| search eventcount=1 OR (eventcount>1 AND SessionType="MultiMode" AND NOT (SessionEstablish="Success" AND SessionCode="Drop"))

Re: How can I remove one of event from transaction result

henrysoon80 — Mon, 25 Mar 2019 02:24:28 GMT

The Result was appear as per above attached, however i wish to get as per below result

Re: How can I remove one of event from transaction result

henrysoon80 — Mon, 25 Mar 2019 02:51:12 GMT

Hi DMohn, i had posted new comment waiting moderator review my post

Re: How can I remove one of event from transaction result

woodcock — Mon, 25 Mar 2019 05:22:42 GMT

The basic answer is DO NOT USE transaction. It is massive overkill, does not scale well, and when it tries to, it silently fails without telling you that it gave up in the middle. If it seems to work for you, I assure you that you are mistaken. Take a step back, post a set of raw events and then tell us what you are trying to do with them. We will give you an answer that does not use transaction.

Re: How can I remove one of event from transaction result

DMohn — Mon, 25 Mar 2019 07:19:49 GMT

This is not what you had described in your starting post ... If I comapre the initial screenshot with the one you posted as your "intended result", you only removed the "SessionCode = Drop" events. Is this what you are trying to do? If not, please go into detail a bit more and elaborate, which results you want to see (or not) - e.g. SessionType = Single or Multi, Session Code = ....