topic Re: Filter transaction in Splunk Search https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667384#M228957 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;you miss main question and I tell you step by step main question!</P><P>Would you please check main question? And tell me is there any way to do that?</P><P>thanks</P> Sat, 04 Nov 2023 18:20:31 GMT indeed_2000 2023-11-04T18:20:31Z Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667285#M228922 <P>Hi</P><P>i have log line like this,</P><P>1-need to group by them by ID,</P><P>2- filter those transactions that has T[A]</P><P>&nbsp;</P><PRE>#txn1<BR /><SPAN>16:30:53:002 moduleA ID[123]<BR /></SPAN><SPAN>16:30:54:002 moduleA ID[123]<BR /></SPAN>16:30:55:002 moduleB ID[123]T[A]<BR />16:30:56:002 moduleC ID[123]<BR /><BR />#txn2<BR />16:30:57:002 moduleD ID[987]<BR />16:30:58:002 moduleE ID[987]T[B]<BR />16:30:59:002 moduleF ID[987]<BR />16:30:60:002 moduleZ ID[987]</PRE><P>&nbsp;<BR /><BR /></P><P>Any idea?</P><P>Thanks</P> Fri, 03 Nov 2023 10:24:55 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667285#M228922 indeed_2000 2023-11-03T10:24:55Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667287#M228924 <P>What fields do you already have extracted?</P><P>By "filter" do you mean filter in or filter out i.e. do you want to keep the events with T[A], keep only those events with T[A] or remove them altogether?</P> Fri, 03 Nov 2023 10:57:50 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667287#M228924 ITWhisperer 2023-11-03T10:57:50Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667345#M228932 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;need to see filter out/in result to decide.</P><P>All fields extracted already.</P><P><SPAN>need keep the events with T[A].</SPAN></P> Fri, 03 Nov 2023 17:15:41 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667345#M228932 indeed_2000 2023-11-03T17:15:41Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667351#M228935 <LI-CODE lang="markup">| sort 0 ID</LI-CODE> Fri, 03 Nov 2023 19:02:05 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667351#M228935 ITWhisperer 2023-11-03T19:02:05Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667353#M228936 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;?</P> Fri, 03 Nov 2023 19:13:46 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667353#M228936 indeed_2000 2023-11-03T19:13:46Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667354#M228937 <P>Your events will be together by ID</P> Fri, 03 Nov 2023 19:25:33 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667354#M228937 ITWhisperer 2023-11-03T19:25:33Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667355#M228938 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><P>How about other part?&nbsp;</P><P>FYI: i mean extract key value one by one with rex command not whole transaction.</P> Fri, 03 Nov 2023 20:01:05 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667355#M228938 indeed_2000 2023-11-03T20:01:05Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667357#M228939 <P>Not sure I understand, you just said all fields already extracted?</P> Fri, 03 Nov 2023 20:52:45 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667357#M228939 ITWhisperer 2023-11-03T20:52:45Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667358#M228940 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;i mean id, t , … key value extracted not transaction.</P> Fri, 03 Nov 2023 21:04:08 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667358#M228940 indeed_2000 2023-11-03T21:04:08Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667370#M228946 <P>What do you mean by transaction?</P> Sat, 04 Nov 2023 10:19:14 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667370#M228946 ITWhisperer 2023-11-04T10:19:14Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667377#M228952 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;</P><PRE>#txn1<BR /><SPAN>16:30:53:002 moduleA ID[123]<BR /></SPAN><SPAN>16:30:54:002 moduleA ID[123]<BR /></SPAN>16:30:55:002 moduleB ID[123]T[A]<BR />16:30:56:002 moduleC ID[123]<BR /><BR />#txn2<BR />16:30:57:002 moduleD ID[987]<BR />16:30:58:002 moduleE ID[987]T[B]<BR />16:30:59:002 moduleF ID[987]<BR />16:30:60:002 moduleZ ID[987]</PRE><P>&nbsp;</P> Sat, 04 Nov 2023 14:49:16 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667377#M228952 indeed_2000 2023-11-04T14:49:16Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667379#M228953 <P>How do you determine which events are part of a "transaction"?</P> Sat, 04 Nov 2023 16:23:56 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667379#M228953 ITWhisperer 2023-11-04T16:23:56Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667380#M228954 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;group by id</P> Sat, 04 Nov 2023 16:25:34 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667380#M228954 indeed_2000 2023-11-04T16:25:34Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667382#M228955 <LI-CODE lang="markup">| stats list(_raw) as _raw by ID</LI-CODE> Sat, 04 Nov 2023 16:31:40 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667382#M228955 ITWhisperer 2023-11-04T16:31:40Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667384#M228957 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;you miss main question and I tell you step by step main question!</P><P>Would you please check main question? And tell me is there any way to do that?</P><P>thanks</P> Sat, 04 Nov 2023 18:20:31 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667384#M228957 indeed_2000 2023-11-04T18:20:31Z Re: Filter transaction https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667389#M228959 <LI-CODE lang="markup">| stats list(_raw) as _raw list(T) as T by ID | where T=="A"</LI-CODE> Sat, 04 Nov 2023 20:09:21 GMT https://community.splunk.com/t5/Splunk-Search/Filter-transaction/m-p/667389#M228959 ITWhisperer 2023-11-04T20:09:21Z