topic Re: Filter results AFTER transaction function in Splunk Search

Filter results AFTER transaction function

timmy13 — Mon, 06 Jun 2011 16:21:46 GMT

I have data that requires I use "transaction" to form events. I would like to filter the resulting data by a field (Source_IP) after the transaction function. But using the where function seems to have no result.

source=*.log |transaction maxspan=10s maxpause=2 |where Source_IP="192.168.168.73"|chart........

The results still include all Source_IP's, not just the one in the where clause.

Any ideas?

Re: Filter results AFTER transaction function

sideview — Mon, 06 Jun 2011 16:59:15 GMT

Here are some things I would double check.

Are you sure the case is the same? Field names are case sensitive.

Does the search command also fail to filter them out? Generally I use search unless I need something that only where has, like where fooField=barField.

If you put wrap the IP in wildcards does it still fail to match? It sounds dubious but maybe the extracted value ended up with a space character on one side or the other.

Re: Filter results AFTER transaction function

timmy13 — Mon, 06 Jun 2011 17:44:22 GMT

Thanks for responding Nick. Yes, I tried search as well with the same results. And I have confirmed the case. Wildcards around the IP doesn't resolve it.

To make sure, I stuck the IP address in the first part of the search and got data. Of course, searching before the transaction screws up my results.

Re: Filter results AFTER transaction function

sideview — Mon, 06 Jun 2011 17:52:27 GMT

Hmm.. Well im not positive that it's a bug, and others might still post more troubleshooting ideas, but at this point I'd send it in to support@splunk.com so they can start looking at it for you and asking around internally.

Re: Filter results AFTER transaction function

yannK — Mon, 28 Sep 2020 10:01:03 GMT

After a transaction, all the fields of the transactions are merged into a single field.
if they are the same, only one is kept, if they are different, they are all concatenated.

example



search * |eval raw=_raw | table host source source_IP raw

hostA sourceA  192.168.168.73 "myrawevent"

hostA sourceA  192.168.168.10 "mysecondrawevent"

after the transastion



search | transaction |eval raw=_raw | table host source source_IP raw

hostA sourceA "192.168.168.73 192.168.198.10" "myrawevent mysecondrawevent"

so you may want to filter using wildcards, like

source=*.log |transaction maxspan=10s maxpause=2 |WHERE Source_IP="*192.168.168.73*"

source=*.log |transaction maxspan=10s maxpause=2 | WHERE like(Source_IP,"%192.168.168.73%")

source=*.log |transaction maxspan=10s maxpause=2 |search Source_IP="*192.168.168.73*"

Re: Filter results AFTER transaction function

moesaidi — Wed, 26 Jul 2017 13:39:03 GMT

Seeing the same effect in 6.5.2
Trying to form events using transaction but exclude specific entries, WHERE, and SEARCH both don't seem to do anything after a transaction command.