Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Aligning resulsts after a transaction and lookup with multiple values

imarks004
Path Finder
‎11-14-2013 10:23 AM

I am having a very difficult time trying to align fields after a transaction command that is using a lookup with multiple values.
I have a search that uses a transaction command based off an IP address and looks for more than one unique ID in the transaction. I then do a lookup against the unique ID to pull back additional fields like first name, last name, email, etc.

The result set I am trying to get should look something like this. 

 IP unique_id   firstname   lastname    email
IP_1    id_1    id_1_firstname  id_1_lastname   id_1_email
    id_2    id_2_firstname  id_2_lastname   id_2_email
    id_3    id_3_firstname  id_3_lastname   id_3_email

What I am getting is the following where the fields in the rows do not match up to the corresponding uniq_id. 

IP  unique_id   firstname   lastname    email
IP_1    id_1    id_2_firstname  id_3_lastname   id_1_email
    id_2    id_3_firstname  id_1_lastname   id_3_email
    id_3    id_1_firstname  id_2_lastname   id_2_email

I have tried using table, stats, and stats using the values function but cannot seem to get it correct.
Here is an example of what I have tried.
search … | transaction maxspan=6h ip keepevicted=t | where mvcount(unique_id)>1 | lookup local=t userlookup USER AS unique_id | stats values(unique_id) values(FIRSTNAME), values(LASTNAME), values(EMAIL) by ip

Any suggestions would be appreciated..
Thanks

0 Karma
Reply

lguinn2
Legend
‎11-14-2013 11:47 AM

I would do this differently altogether...

yoursearchhere
| stats count by IP unique_id
| eventstats dc(unique_id) as idCount by IP
| where idCount > 1
| fields - idCount
| lookup local=t userlookup USER AS unique_id

The transaction command can get quite slow over large data sets, and it creates multi-valued fields (which is what is causing you such grief). The solution avoids both of those problems.

0 Karma
Reply

imarks004
Path Finder
‎11-18-2013 10:49 AM

Thank you, this search is way more efficient. I think I will wait until I can upgrade to 6.x and use some of the pivot features to to get the output looking the way I want. The current results now at least let me accurately export to Excel.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...