Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Using "transaction" Command

daniaabujuma
Explorer
‎07-25-2023 04:41 AM

Hello Splunkers!

I am using "transaction" command to merge multiple logs based on a mutual field between them. To clarify, I have email logs, the issue is that for 1 email I receive 4 logs in the following order:

  1. from
  2. subject
  3. attachment
  4. to

They all have one field in common: id.

I am using the following transaction command: 

| transaction id startswith=from endswith=to 

 The issue is that it merges only the two logs containing "from" and "to".

Can you please verify if I am using the command correctly because I need it to also merge the logs in between not only "from" and "to".

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2023 05:00 AM

The transaction command is inefficient.  Consider using the stats command to group events together by id.

| stats values(*) as * by id

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

daniaabujuma
Explorer
‎07-25-2023 05:39 AM

Hello @richgalloway ,

Thank you for your reply!

I tried your recommendation but unfortunately it didn't work. Do you have any other suggestions?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2023 05:49 AM

Please explain what you mean by "it didn't work".  What results did you get and how do they compare to the expected results?

Please share sample sanitized events and the desired output.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top