topic Re: How to edit my transaction search so that it will only return grouped results? in Splunk Search

How to edit my transaction search so that it will only return grouped results?

EricLloyd79 — Mon, 03 Apr 2017 16:08:02 GMT

This seems like it would be easy to figure out through search but I'm coming across a dead end.
I have a transaction and I want to ONLY return the grouped results, not the ones that don't find a match as well.

xyz0024 OR xyz0019 fooxyz source="/company-logs/abc/current/abc.log" NOT (type=pa) | transaction field1 maxpause=3s

Thanks

Re: How to edit my transaction search so that it will only return grouped results?

niketn — Mon, 03 Apr 2017 16:47:13 GMT

Transaction created eventcount field with events that match the transaction criteria. You can use the same to filter results you need.

 | transaction field1 maxpause=3s
 | search eventcount>1

However, for a scenario like this you should be using stats instead. If you can add more details around data/fields you are interested in may be the community can suggest you with better query with stats. It would go like the following:

| stats count as eventcount min(_time) as MinTime max(_time) as MaxTime by field
| search eventcount>1
| eval duration=MaxTime-MinTime
| eval _time=MinTime
| table _time field eventcount duration

You should also accomodate any other field of interest in stats command above using aggregate function like values() list() etc.

Re: How to edit my transaction search so that it will only return grouped results?

cmerriman — Mon, 03 Apr 2017 17:05:46 GMT

range(_time) as duration would also work instead of max/min and an eval.

| stats count as eventcount min(_time) as _time range(_time) as duration by field
 | search eventcount>1
 | table _time field eventcount duration

Re: How to edit my transaction search so that it will only return grouped results?

DalJeanis — Mon, 03 Apr 2017 17:14:01 GMT

That's the default behavior for transaction (defaults to keeporphans=false).

...which leads me to believe that your problem statement is missing some background information that we need to know in order to help you.

niketnilay and cmerriman have given you some suggestions. If neither of those work for you, then please give us more information about what behavior you need, and what the characteristics of the events are that you are trying to group. Preferably with some non-confidential example data.

Re: How to edit my transaction search so that it will only return grouped results?

EricLloyd79 — Tue, 04 Apr 2017 12:46:25 GMT

Thanks this worked, niketnailay.
Please add it as an official answer to the question so I can mark it correct and give you points and offer notification to others that this answer worked for me.

Re: How to edit my transaction search so that it will only return grouped results?

DalJeanis — Tue, 04 Apr 2017 17:33:07 GMT

Moved it to an answer for you.