topic Re: Append or join transactions in Splunk Search

Append or join transactions

saradachelluboy — Thu, 21 Jul 2016 01:45:29 GMT

Hi All,

I have two different transactions. individually it works perfect but can some one help me to append the two transactions because
the thread ,startwith and endswith everything is different for both the transactions.

index="i" sourcetype="s"  | rex "(?jmsListener\w-\d+)"  | transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"   | eval ms= duration*1000  

index="i" sourcetype="s"  | rex "(?http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+)" | transaction thread startswith="WebService Request: \<?xml" endswith="WebService Response: \<?xml" | eval ms= duration*1000

I tried to play around with transaction, I think field cann't be assigned to satrtswith/endswith

rex "(?<thread>http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+|jmsListener\w-\d+)" | 
rex "(?<transtarted>LoggingMessageConverter\s\|\srequest:|WebService\sRequest:\s\<\?xml)"|
rex "(?<tranended>LoggingMessageConverter\s\|\sresponse:|WebService\sResponse:\s\<\?xml)" |
transaction thread startswith=transtarted endswith=tranended

Re: Append or join transactions

somesoni2 — Thu, 21 Jul 2016 01:58:54 GMT

What all fields you're using in your final output? (or planning to use)

Re: Append or join transactions

saradachelluboy — Thu, 21 Jul 2016 02:08:46 GMT

I created thread,transtarted,& tranended using rex but these are not real fields created by splunk.

Re: Append or join transactions

somesoni2 — Thu, 21 Jul 2016 02:13:44 GMT

No, I'm thinking a way to eliminate transaction command itself, but that will require the fields that you want to use in your final expected output. Do you just need _time thread and duration OR any other fields?

Re: Append or join transactions

lguinn2 — Thu, 21 Jul 2016 02:55:42 GMT

I agree with @somesoni2 - if we knew more, you could perhaps avoid using the transaction command altogether.

Re: Append or join transactions

lguinn2 — Thu, 21 Jul 2016 03:07:37 GMT

I understand that you want to combine these, but there are two problems with your initial solution:
1 - You have a syntax problem; transaction thread startswith=transtarted endswith=tranended
should be transaction thread startswith=eval(isnotnull(transtarted)) endswith=eval(isnotnull(tranended))
2 - Even with the syntax fixed, it still won't work. You could end up with a transaction that begins with a logging message and ends with a web service response. I don't think that is what you want.

Try this - it isn't very efficient, but it should work, at least for smaller datasets:

index="i" sourcetype="s"  
| rex "(?jmsListener\w-\d+)"  
| transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"   
append [ search  index="i" sourcetype="s"  
        | rex "(?<thread>http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+|jmsListener\w-\d+)"
        | transaction thread startswith="WebService Request: \<?xml" endswith="WebService Response: \<?xml"  ]
| eval ms= duration*1000

Finally, you also had a syntax error in the second rex - there is no field name. But I copied it from the other example you gave. Although I am unclear why you need either of the rex commands...

Re: Append or join transactions

saradachelluboy — Thu, 21 Jul 2016 04:21:48 GMT

Thanks a lot I tried with append. It works perfect!!!