topic Why when I use transaction command, search is not extracting some fields in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599761#M208748 <P>Hi</P> <P>try to use transaction command, but actionName is empty!</P> <P>&nbsp;</P> <P>Here is my SPL</P> <LI-CODE lang="markup"> | rex "actionName.*\.(?&lt;actionName&gt;\w+\.\w+)\]" | rex "duration\[(?&lt;duration&gt;\d+)" | rex "transactionId\[(?&lt;transactionId&gt;\w+-\w+-\w+-\w+-\w+)" |transaction transactionId | table duration actionName username</LI-CODE> <P><BR /><BR /></P> <P>Here is the current result:</P> <P>duration &nbsp;&nbsp; actionName&nbsp;&nbsp;&nbsp; username&nbsp;&nbsp;<BR />171847&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ABC&nbsp;&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Here is the expected result:</P> <P>duration &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; actionName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; username&nbsp;&nbsp;<BR />171847&nbsp;&nbsp;&nbsp; QueryOnData.Allow&nbsp;&nbsp;&nbsp;&nbsp; ABC&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Here is the log:<BR />2022-05-30 12:39:34,262 INFO&nbsp; [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] parameters[] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] username[ABC] startTime[1653898174262]<BR /><BR />2022-05-30 12:42:26,109 INFO&nbsp; [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] duration[171847] status[done]</P> Tue, 31 May 2022 13:55:40 GMT indeed_2000 2022-05-31T13:55:40Z Why when I use transaction command, search is not extracting some fields https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599761#M208748 <P>Hi</P> <P>try to use transaction command, but actionName is empty!</P> <P>&nbsp;</P> <P>Here is my SPL</P> <LI-CODE lang="markup"> | rex "actionName.*\.(?&lt;actionName&gt;\w+\.\w+)\]" | rex "duration\[(?&lt;duration&gt;\d+)" | rex "transactionId\[(?&lt;transactionId&gt;\w+-\w+-\w+-\w+-\w+)" |transaction transactionId | table duration actionName username</LI-CODE> <P><BR /><BR /></P> <P>Here is the current result:</P> <P>duration &nbsp;&nbsp; actionName&nbsp;&nbsp;&nbsp; username&nbsp;&nbsp;<BR />171847&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ABC&nbsp;&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Here is the expected result:</P> <P>duration &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; actionName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; username&nbsp;&nbsp;<BR />171847&nbsp;&nbsp;&nbsp; QueryOnData.Allow&nbsp;&nbsp;&nbsp;&nbsp; ABC&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Here is the log:<BR />2022-05-30 12:39:34,262 INFO&nbsp; [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] parameters[] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] username[ABC] startTime[1653898174262]<BR /><BR />2022-05-30 12:42:26,109 INFO&nbsp; [APP] [Act] actionName[us.st.zxc.asda.app.session.protector.QueryOnData.Allow] transactionId[8d135d45-c117-4781-a3ed-9a6a9db7ce4d] duration[171847] status[done]</P> Tue, 31 May 2022 13:55:40 GMT https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599761#M208748 indeed_2000 2022-05-31T13:55:40Z Re: transaction command not extract some fields https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599763#M208749 <P>You have extracted actionName as method - try it this way</P><LI-CODE lang="markup"> | rex "actionName.*\.(?&lt;actionName&gt;\w+\.\w+)\]"</LI-CODE> Mon, 30 May 2022 16:32:19 GMT https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599763#M208749 ITWhisperer 2022-05-30T16:32:19Z Re: transaction command not extract some fields https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599764#M208750 <P>sorry it was typo, modify post. result same and still not work.</P> Mon, 30 May 2022 16:38:34 GMT https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599764#M208750 indeed_2000 2022-05-30T16:38:34Z Re: transaction command not extract some fields https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599765#M208751 <P>There doesn't appear to be anything wrong with your rex expressions (given the examples you provided). However, you could try it this way</P><LI-CODE lang="markup">| rex "actionName\[(\w+\.)*(?&lt;actionName&gt;\w+\.\w+)\]" </LI-CODE> Mon, 30 May 2022 16:53:07 GMT https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599765#M208751 ITWhisperer 2022-05-30T16:53:07Z Re: transaction command not extract some fields https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599767#M208752 <P>Thank you now actionName show correctly .</P><P>I encounter with another strange issue when i use transaction and at the end sort by duration it show highest duration is 15000 but when i remove transaction it show 17000 as highest duration!!!</P><P>FYI1:correct value is 17000 and there is no special filter exist here!</P><P>FYI2:duration directly print in log i just use transaction to aggregate two lines.</P><P>&nbsp;</P><P>Here is with transaction command:</P><P>&nbsp;|&nbsp; rex "actionName.*\.(?&lt;actionName&gt;\w+\.\w+)\]" | rex "duration\[(?&lt;duration&gt;\d+)"<BR />&nbsp;| rex "transactionId\[(?&lt;transactionId&gt;\w+-\w+-\w+-\w+-\w+)"<BR />&nbsp;|transaction transactionId | sort - duration<BR />&nbsp;| table duration actionName username</P><P>&nbsp;</P><P>Here is without transaction:</P><P>&nbsp;|&nbsp; rex "actionName.*\.(?&lt;actionName&gt;\w+\.\w+)\]" | rex "duration\[(?&lt;duration&gt;\d+)"<BR />&nbsp;| rex "transactionId\[(?&lt;transactionId&gt;\w+-\w+-\w+-\w+-\w+)"<BR />| sort - duration<BR />&nbsp;| table duration actionName username</P><P>any idea?</P><P>Thanks</P> Mon, 30 May 2022 17:29:28 GMT https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599767#M208752 indeed_2000 2022-05-30T17:29:28Z Re: transaction command not extract some fields https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599799#M208768 <P>Answered here&nbsp;<A href="https://community.splunk.com/t5/Splunk-Search/Transaction-command-not-work-as-expcted/m-p/599797#M208767" target="_blank">Re: Transaction command not work as expcted - Splunk Community</A></P> Tue, 31 May 2022 06:17:31 GMT https://community.splunk.com/t5/Splunk-Search/Why-when-I-use-transaction-command-search-is-not-extracting-some/m-p/599799#M208768 ITWhisperer 2022-05-31T06:17:31Z