topic Re: How to filter events from a transaction result. in Splunk Search

How to filter events from a transaction result.

harish_ka — Mon, 19 Oct 2015 11:11:29 GMT

After the transaction command, I got a set of events as one event. Now I want to filter the logs from this transaction result.

Let's say my transaction result has 10 lines as Line 1 to Line 10.
Now I want only lines from line 3 to line 8.
How can I do this??
Please help... Asap..

Re: How to filter events from a transaction result.

jmallorquin — Mon, 19 Oct 2015 11:29:47 GMT

An example please?

Re: How to filter events from a transaction result.

harish_ka — Mon, 19 Oct 2015 11:49:33 GMT

Query:
search...|transaction startswith:"start" endswith:"end"

And i got the event as below,

2015/10/17 06:32:43,872 EDT - DEBUG - Start
2015/10/17 06:32:43,872 EDT - DEBUG - PQR
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - XYZ
2015/10/17 06:32:43,872 EDT - DEBUG - End

now i need the only logs from DEBUG - PQR to DEBUG - XYZ

Please help...

Re: How to filter events from a transaction result.

somesoni2 — Mon, 19 Oct 2015 14:24:19 GMT

The filter (from row 3 to row 😎 is fixed OR it's depend on the some value in the actual data?

Re: How to filter events from a transaction result.

harish_ka — Mon, 19 Oct 2015 14:31:38 GMT

Its not fixed.. it depends on the keyword i use.. and depends on the requirement...

Re: How to filter events from a transaction result.

dkoops — Mon, 19 Oct 2015 14:37:46 GMT

Maybe use mvindex?

| eval NewField=mvindex(_raw, 3, 8)

Re: How to filter events from a transaction result.

somesoni2 — Mon, 19 Oct 2015 14:43:34 GMT

See if something like this would work for you.

search... | eval RawLines=_raw|transaction startswith:"start" endswith:"end" | eval RawLines=mvfilter(NOT match(RawLines,"Start") AND NOT match(RawLines,"End"))

The field _raw though seems like an multivalued field in events tab, but its actually not, So I created another field which will hold the raw data lines and filter is applied on that field.

Re: How to filter events from a transaction result.

dkoops — Mon, 19 Oct 2015 14:46:49 GMT

Seems like the _raw field isn't a multi value field after a transaction. It does however work for other fields. Maybe extract the useful info from the logs before transactioning?

Re: How to filter events from a transaction result.

harish_ka — Mon, 19 Oct 2015 14:56:14 GMT

the filtering is not based on line numbers. its based on some keywords, lets say "ReStart" to "Close", need the logs which are in between these keywords..and the line numbers are not fixed too..

Re: How to filter events from a transaction result.

dkoops — Mon, 19 Oct 2015 15:24:18 GMT

You could use regular expression to extract the relevant info from the _raw field. That might, however, be a tedious job if there are a lot of exceptions; you might have to write several ones. This should work for your example:

| rex "PQR\s(?<RelevantLogStuff>.+)\s2015.+XYZ"

Re: How to filter events from a transaction result.

woodcock — Mon, 19 Oct 2015 17:51:11 GMT

First, get rid of transaction by manufacturing a sessoinID like this:

search... | reverse | streamstats current=t count(eval(searchmatch("start"))) AS sessionID | stats list(_raw) by sessionID

Now that you have a sessionID field for every event, you have more control and can do something like this:

search... | reverse | streamstats current=t count(eval(searchmatch("Start"))) AS sessionID | streamstats current=t count(eval(searchmatch("DEBUG - PQR" OR "DEBUG - XYZ"))) AS subsessionID by sessionID | search subsessionID="1" NOT Start | stats list(_raw) by sessionID