Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using "transaction" Command

daniaabujuma
Explorer
‎07-25-2023 04:41 AM

Hello Splunkers!

I am using "transaction" command to merge multiple logs based on a mutual field between them. To clarify, I have email logs, the issue is that for 1 email I receive 4 logs in the following order:

  1. from
  2. subject
  3. attachment
  4. to

They all have one field in common: id.

I am using the following transaction command: 

| transaction id startswith=from endswith=to 

 The issue is that it merges only the two logs containing "from" and "to".

Can you please verify if I am using the command correctly because I need it to also merge the logs in between not only "from" and "to".

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2023 05:00 AM

The transaction command is inefficient.  Consider using the stats command to group events together by id.

| stats values(*) as * by id

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

daniaabujuma
Explorer
‎07-25-2023 05:39 AM

Hello @richgalloway ,

Thank you for your reply!

I tried your recommendation but unfortunately it didn't work. Do you have any other suggestions?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-25-2023 05:49 AM

Please explain what you mean by "it didn't work".  What results did you get and how do they compare to the expected results?

Please share sample sanitized events and the desired output.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...