topic Re: Listing on all the field values of a transaction event in Splunk Search

Listing on all the field values of a transaction event

macadminrohit — Fri, 16 Feb 2018 00:53:32 GMT

I have created a transaction event based on the startswith and endswith functions. This new transaction event has clubbed all the original events into one event which has now got multiple fields with different field values.

For ex :

Event 1 , Message = A, Location = USA
Event 2, Message = B, Location = INDIA
Event 3, Message = C, Location = Mexico
Event 4, Message = D, Location = INDIA

Transaction Event:
Message = A, Location = USA
Message = B, Location = INDIA
Message = C, Location = Mexico
Message = D, Location = INDIA

Now since all the events are clubbed into one using the transaction command. How do i get all the field values of the field Location and Message. If i use | stats count values(Message),values(Location) by somefield. it is just showing me the unique values of Message and Location field. skipping the repeating ones.

I dont want to skip anything. Whats the best way out here?

Re: Listing on all the field values of a transaction event

493669 — Fri, 16 Feb 2018 01:18:39 GMT

Try to use list instead of values:

 | stats count list(Message), list(Location) by somefield

Re: Listing on all the field values of a transaction event

micahkemp — Fri, 16 Feb 2018 01:22:21 GMT

That is the expected behavior of transaction. Your events have been combined into one event, and there are no longer duplicate values for each field.

Re: Listing on all the field values of a transaction event

macadminrohit — Fri, 16 Feb 2018 15:39:14 GMT

If that is the case, then what would be taken as the field value . There are multiple fields with the same field name and multiple values.

Re: Listing on all the field values of a transaction event

micahkemp — Fri, 16 Feb 2018 15:45:24 GMT

The new event (which is made up of the original individual events) will have a field with multiple values. The new field values will be all of the unique values from the original event field of the same name.

So if you have the events:

name=me location=work status=working
name=me location=home status=sleeping
name=me location=work status=eating

My new event would look like:

name=me location=work,home status=working,sleeping,eating

(with comma separated values represening multi-value fields)

Re: Listing on all the field values of a transaction event

elliotproebstel — Fri, 16 Feb 2018 16:58:04 GMT

If your search is now concluding with:

| stats count values(Message),values(Location) by somefield

perhaps you should consider eliminating the transaction call earlier in the search? There are usually other ways to achieve whatever you're trying to do with transaction (often using eventstats or streamstats), and in my experience these other approaches are usually more efficient and less prone to silent failure. If you would like help changing the structure of the overall command so that you can calculate these stats at the end, you could update the post or add a comment here with more details about the SPL that you're using and what your intended goals are.

Re: Listing on all the field values of a transaction event

macadminrohit — Tue, 29 Sep 2020 18:04:48 GMT

This is my query, I am trying to get surrounding events when an error occurred in the logs, So i wrote the below query :

index=servers sourcetype=json macaddress="*"
| rename "bdy.msg" as Msg1,"bdy.ex.Msg" as Msg2, "appName" as App, "appVersion" as AppVers
| eval AppName_Version= App + "_" + AppVers
| transaction locId hostName macaddress endswith="Unhandled Exception" maxspan=60s
| stats count as Cnt,list(AppName_Version) as AppName_Version,list(Msg1) as Msg1,list(Msg2) as Msg2 by locId hostName macaddress
| sort -Cnt

Let me know how streamstats and eventstats can be used here.

Re: Listing on all the field values of a transaction event

macadminrohit — Fri, 16 Feb 2018 18:02:00 GMT

Thats where the problem is , I dont want to just find the unique values, I need all the values even if they are repeating.

name=me, location=work,home,work status=working,sleeping,eating

Re: Listing on all the field values of a transaction event

elliotproebstel — Fri, 16 Feb 2018 18:21:13 GMT

Ok, I'm going to riff off this post: https://answers.splunk.com/answers/310019/as-part-of-a-splunk-alert-is-it-possible-to-includ.html by @rich7177

So let's say the message "Unhandled Exception" occurs in a field called status. I think this might work:

index=servers sourcetype=json macaddress="*"
| rename "bdy.msg" as Msg1,"bdy.ex.Msg" as Msg2, "appName" as App, "appVersion" as AppVers
| eval AppName_Version= App + "_" + AppVers, exception_message=if(status="Unhandled Exception", 1, NULL)
| streamstats last(exception_message) AS exception_present BY  locId hostName macaddress time_window=60s
| where isnotnull(exception_message) OR isnotnull(exception_present)
| stats count as Cnt,list(AppName_Version) as AppName_Version,list(Msg1) as Msg1,list(Msg2) as Msg2 by locId hostName macaddress
| sort -Cnt

I'm not 100% confident in this, but I think it's on the path to a solution.

Re: Listing on all the field values of a transaction event

macadminrohit — Thu, 01 Mar 2018 23:20:59 GMT

Although it gives me some output, but i want to understand the logic here. Would you mind explaning that?

Re: Listing on all the field values of a transaction event

gmasca — Tue, 08 Jan 2019 07:20:11 GMT

add mvlist