https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259719#M77853 <P>You could try the <CODE>coalesce()</CODE> function to <CODE>eval</CODE>:</P> <PRE><CODE>your_search | eval my_t_id = coalesce(user, cause) | transaction my_t_id </CODE></PRE> <P>However, I think that if this is really your data, you'd need to set up some more constraints (time, number of events, start, stop etc) on the transaction. Otherwise it may be so that your transactions will span too many events.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction</A></P> <P>/K</P> Wed, 23 Mar 2016 10:16:13 GMT kristian_kolb 2016-03-23T10:16:13Z https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259718#M77852 <P>Hi</P> <P>I'm looking to extract a specific subset of events in my Splunk data.</P> <PRE><CODE>_time=3:01 type=update user=user2 _time=3:01 type=errorMessage cause=user1 data=bar1 _time=3:02 type=errorMessage cause=user1 data=wizz _time=3:04 type=update user=user7 _time=3:07 type=errorMessage cause=user1 data=pow _time=3:10 type=update user=user1 _time=3:11 type=update user=user4 </CODE></PRE> <P>I want to match <STRONG>cause</STRONG> in <STRONG>type=errorMessage</STRONG> to <STRONG>user</STRONG> in <STRONG>type=update</STRONG> , so the output for the above is:</P> <PRE><CODE>_time=3:01 duration=9 eventcount=4 type=errorMessage cause=user1 data={bar1,wizz,pow} type=update user=user1 </CODE></PRE> <P>Any ideas how to have this behavior?</P> Wed, 23 Mar 2016 09:52:21 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259718#M77852 zeophlite 2016-03-23T09:52:21Z https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259719#M77853 <P>You could try the <CODE>coalesce()</CODE> function to <CODE>eval</CODE>:</P> <PRE><CODE>your_search | eval my_t_id = coalesce(user, cause) | transaction my_t_id </CODE></PRE> <P>However, I think that if this is really your data, you'd need to set up some more constraints (time, number of events, start, stop etc) on the transaction. Otherwise it may be so that your transactions will span too many events.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/CommonEvalFunctions</A><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Transaction</A></P> <P>/K</P> Wed, 23 Mar 2016 10:16:13 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259719#M77853 kristian_kolb 2016-03-23T10:16:13Z https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259720#M77854 <P>Interesting - but what if the <STRONG>type=errorMessage</STRONG> events have a non-null <STRONG>user</STRONG>, and <STRONG>type=update</STRONG> have non-null <STRONG>cause</STRONG> fields?</P> Wed, 23 Mar 2016 11:27:03 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259720#M77854 zeophlite 2016-03-23T11:27:03Z https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259721#M77855 <P>Then the coalesce function will not be what you want. But since the sample data you posted did not have that limitation ... </P> <P>There are other ways of accomplishing the desired results, e.g. sub-searches, joins etc. If you post some 'real' events, you will probably get better help.</P> <P>/K</P> Wed, 23 Mar 2016 11:35:44 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259721#M77855 kristian_kolb 2016-03-23T11:35:44Z https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259722#M77856 <P>Try something like this</P> <PRE><CODE>your base search | eval commonfield=if(type="update",user,cause) | transaction commonfield </CODE></PRE> Wed, 23 Mar 2016 14:12:01 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259722#M77856 somesoni2 2016-03-23T14:12:01Z https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259723#M77857 <P>That would not differ in effect from coalesce() in case there are non-null user/cause fields in the 'wrong' events.</P> Wed, 23 Mar 2016 21:08:37 GMT https://community.splunk.com/t5/Splunk-Search/Conditional-Transaction/m-p/259723#M77857 kristian_kolb 2016-03-23T21:08:37Z