topic Re: Getting transaction results in table with "transacted" items in separate rows in Splunk Search

How to get transaction results in table with "transacted" items in separate rows?

splunk_thunk — Tue, 10 May 2022 19:45:07 GMT

Hello Experts,

I have a transaction query that I am displaying in a table. I am able to get results in a table, however, the results tied in a single transaction appear as single row in the table. I would like to have them displayed in separate rows, as if they are individual search results.

Here's an example:

Log Data:

Transaction Id=1, step=1, data_x=dataX1, data_y=dataY1

Transaction Id=1, step=2, data_x=dataX2, data_y=dataY2

How results look like

Transaction Id

data_x

data_y

dataX1

dataX2

dataY1

dataY2

...

Need it to look like

Transaction Id	data_x	data_y
1	dataX1	dataY1
1	dataX2	dataY2
2	...	...
2	...	...

Any help appreciated.

Thanks!

Re: Getting transaction results in table with "transacted" items in separate rows

richgalloway — Tue, 10 May 2022 15:29:56 GMT

Please share the SPL that produces the current results.

Re: Getting transaction results in table with "transacted" items in separate rows

splunk_thunk — Tue, 10 May 2022 18:01:03 GMT

@richgalloway

Please try the above.

I have another question (you will notice it in search results from above query). For the same transaction, how can I print the value of a field from step=1 of the transaction into other steps in the result, when that field is not available in the other search results within same transaction.

Thanks much!

Re: Getting transaction results in table with "transacted" items in separate rows

ITWhisperer — Tue, 10 May 2022 18:40:00 GMT

I assume you used transaction to gather the events together so you could try using stats and list()

The main thing you need to do is zip all the fields together, mvexpand, then "unzip" them. This does rely on there being values in each of the fields, although that would be true for transaction as well

| makeresults count=4 | streamstats count | eval transactionId = case(count=1 OR count=2, 1, count=3 OR count=4, 2) | eval step = case(transactionId=1 AND count<=2,count, transactionId=2,count-2) | eval data_x="dataX".step | eval data_y="dataY".step | eval val=case(step=1,step,step>1,"null. So how to print value_1 here as well?") | stats list(data_*) as data_* list(step) as step list(val) as val by transactionId | eval data=mvzip(data_x,mvzip(data_y,val,":"),":") | mvexpand data | eval data_x=mvindex(split(data,":"),0) | eval data_y=mvindex(split(data,":"),1) | eval val=mvindex(split(data,":"),2) | table transactionId data_x data_y val

Re: Getting transaction results in table with "transacted" items in separate rows

splunk_thunk — Tue, 10 May 2022 19:12:03 GMT

Thanks @ITWhisperer . That solves one problem.

Any suggestions to copy value from step-1 of the transaction into step-2 of the same transaction when it is missing in step-2?

I have added this table to a dashboard that has filter on val from my example. When val field is not available in step-2 of the same transaction, the filter condition removes that result from the table, which is not desired.

Re: Getting transaction results in table with "transacted" items in separate rows

ITWhisperer — Tue, 10 May 2022 22:06:04 GMT

Re: Getting transaction results in table with "transacted" items in separate rows

splunk_thunk — Wed, 11 May 2022 18:30:02 GMT

Thanks @ITWhisperer . Trying it out in prod before I mark resolved.