Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Append or join transactions

saradachelluboy
Explorer
‎07-20-2016 06:45 PM

Hi All,

I have two different transactions. individually it works perfect but can some one help me to append the two transactions because
the thread ,startwith and endswith everything is different for both the transactions.

index="i" sourcetype="s"  | rex "(?jmsListener\w-\d+)"  | transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"   | eval ms= duration*1000  

index="i" sourcetype="s"  | rex "(?http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+)" | transaction thread startswith="WebService Request: \<?xml" endswith="WebService Response: \<?xml" | eval ms= duration*1000

I tried to play around with transaction, I think field cann't be assigned to satrtswith/endswith

rex "(?<thread>http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+|jmsListener\w-\d+)" | 
rex "(?<transtarted>LoggingMessageConverter\s\|\srequest:|WebService\sRequest:\s\<\?xml)"|
rex "(?<tranended>LoggingMessageConverter\s\|\sresponse:|WebService\sResponse:\s\<\?xml)" |
transaction thread startswith=transtarted endswith=tranended
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-20-2016 08:07 PM

I understand that you want to combine these, but there are two problems with your initial solution:
1 - You have a syntax problem; transaction thread startswith=transtarted endswith=tranended
should be transaction thread startswith=eval(isnotnull(transtarted)) endswith=eval(isnotnull(tranended))
2 - Even with the syntax fixed, it still won't work. You could end up with a transaction that begins with a logging message and ends with a web service response. I don't think that is what you want.

Try this - it isn't very efficient, but it should work, at least for smaller datasets:

index="i" sourcetype="s"  
| rex "(?jmsListener\w-\d+)"  
| transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"   
append [ search  index="i" sourcetype="s"  
        | rex "(?<thread>http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+|jmsListener\w-\d+)"
        | transaction thread startswith="WebService Request: \<?xml" endswith="WebService Response: \<?xml"  ]
| eval ms= duration*1000

Finally, you also had a syntax error in the second rex - there is no field name. But I copied it from the other example you gave. Although I am unclear why you need either of the rex commands...

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎07-20-2016 08:07 PM

I understand that you want to combine these, but there are two problems with your initial solution:
1 - You have a syntax problem; transaction thread startswith=transtarted endswith=tranended
should be transaction thread startswith=eval(isnotnull(transtarted)) endswith=eval(isnotnull(tranended))
2 - Even with the syntax fixed, it still won't work. You could end up with a transaction that begins with a logging message and ends with a web service response. I don't think that is what you want.

Try this - it isn't very efficient, but it should work, at least for smaller datasets:

index="i" sourcetype="s"  
| rex "(?jmsListener\w-\d+)"  
| transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"   
append [ search  index="i" sourcetype="s"  
        | rex "(?<thread>http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+|jmsListener\w-\d+)"
        | transaction thread startswith="WebService Request: \<?xml" endswith="WebService Response: \<?xml"  ]
| eval ms= duration*1000

Finally, you also had a syntax error in the second rex - there is no field name. But I copied it from the other example you gave. Although I am unclear why you need either of the rex commands...

Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎07-20-2016 09:21 PM

Thanks a lot I tried with append. It works perfect!!!

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-20-2016 06:58 PM

What all fields you're using in your final output? (or planning to use)

0 Karma
Reply
Solved! Jump to solution

saradachelluboy
Explorer
‎07-20-2016 07:08 PM

I created thread,transtarted,& tranended using rex but these are not real fields created by splunk.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎07-20-2016 07:13 PM

No, I'm thinking a way to eliminate transaction command itself, but that will require the fields that you want to use in your final expected output. Do you just need _time thread and duration OR any other fields?

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎07-20-2016 07:55 PM

I agree with @somesoni2 - if we knew more, you could perhaps avoid using the transaction command altogether.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...