topic Re: simple question on transactions in Splunk Search

simple question on transactions

bessery — Wed, 13 Feb 2013 12:55:16 GMT

The transaction command works with a common field across logs. how can we group multiple events which might have the same types of values (for eg. sessionid) but under a differnt field name? eg. value a0001 might be sessionid for sourcetype A but might be uid for sourcetype B.. Can this be done via tags/aliases?

Re: simple question on transactions

jeff — Wed, 13 Feb 2013 13:00:56 GMT

Either of these would work fine...

{your search criteria} | rename some_field as normalized_field | transaction normalized_field

{your search criteria} | eval normalized_field=some_field | transaction normalized_field

The difference between the two - "some_field" will not be available as a distinct field in the first query as it is renamed. The second will create a second field while leaving the original extracted field as part of the event.

Re: simple question on transactions

BenAveling — Mon, 16 Sep 2013 06:56:39 GMT

That doesn't seem to work for me. Transaction returns the entry with the renamed field or the eval'd field, but not the unrenamed field. It's as if the renaming has clobbered something.

i.e. given

a=1

and

b=1

Then

search... | rename a as b | transaction a

returns only

a=1

Re: simple question on transactions

Ayn — Mon, 16 Sep 2013 09:14:52 GMT

...but you're renaming a to b, then doing the transaction on a. Don't you want it to be b?

Re: simple question on transactions

BenAveling — Tue, 17 Sep 2013 03:58:27 GMT

Hi Ayn, you're right, I should have been "search b". Cut & paste error in the search, but what I said it returns is correct.

As written above, it returns nothing.

Corrected to:

 search... |  rename a as b | transaction b

it returns:

a=1

It turns out that rename and eval do not merge, they overwrite, with null if 'a' doesn't exist.

To get the desired result you need to use something like

... | eval a_or_b = if(a!="",a,b) | transaction a_or_b

... | eval a_or_b=coalesce(a,b) | transaction a_or_b

Re: simple question on transactions

BenAveling — Wed, 18 Sep 2013 01:16:22 GMT

You could use a tag to select all records that have a particular value in different fields, but you'd need to tag and search for all the values you're interested in, and you'd still have the question of how to group the records.

To get the desired result, probably better to use something like this:

... | eval id = if(sessionid !="",sessionid ,uid) | transaction id

or this:

... | eval id=coalesce(sessionid ,uid) | transaction id

You can't just use "rename sessionid as uid", or "eval uid=sessionid", because rename and eval would overwrite the original values of uid.