Splunk Search
Highlighted

Append or join transactions

Hi All,

I have two different transactions. individually it works perfect but can some one help me to append the two transactions because
the thread ,startwith and endswith everything is different for both the transactions.

index="i" sourcetype="s"  | rex "(?jmsListener\w-\d+)"  | transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"   | eval ms= duration*1000  

index="i" sourcetype="s"  | rex "(?http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+)" | transaction thread startswith="WebService Request: \<?xml" endswith="WebService Response: \<?xml" | eval ms= duration*1000 

I tried to play around with transaction, I think field cann't be assigned to satrtswith/endswith

rex "(?<thread>http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+|jmsListener\w-\d+)" | 
rex "(?<transtarted>LoggingMessageConverter\s\|\srequest:|WebService\sRequest:\s\<\?xml)"|
rex "(?<tranended>LoggingMessageConverter\s\|\sresponse:|WebService\sResponse:\s\<\?xml)" |
transaction thread startswith=transtarted endswith=tranended
Tags (3)
0 Karma
Highlighted

Re: Append or join transactions

SplunkTrust
SplunkTrust

What all fields you're using in your final output? (or planning to use)

0 Karma
Highlighted

Re: Append or join transactions

I created thread,transtarted,& tranended using rex but these are not real fields created by splunk.

0 Karma
Highlighted

Re: Append or join transactions

SplunkTrust
SplunkTrust

No, I'm thinking a way to eliminate transaction command itself, but that will require the fields that you want to use in your final expected output. Do you just need _time thread and duration OR any other fields?

0 Karma
Highlighted

Re: Append or join transactions

Legend

I agree with @somesoni2 - if we knew more, you could perhaps avoid using the transaction command altogether.

0 Karma
Highlighted

Re: Append or join transactions

Legend

I understand that you want to combine these, but there are two problems with your initial solution:
1 - You have a syntax problem; transaction thread startswith=transtarted endswith=tranended
should be transaction thread startswith=eval(isnotnull(transtarted)) endswith=eval(isnotnull(tranended))
2 - Even with the syntax fixed, it still won't work. You could end up with a transaction that begins with a logging message and ends with a web service response. I don't think that is what you want.

Try this - it isn't very efficient, but it should work, at least for smaller datasets:

index="i" sourcetype="s"  
| rex "(?jmsListener\w-\d+)"  
| transaction thread startswith="LoggingMessageConverter | request:" endswith="LoggingMessageConverter | response:"   
append [ search  index="i" sourcetype="s"  
        | rex "(?<thread>http-\w+\.\w+\.\w+\.\w+/\d+\.\d+\.\d+\.\d+:\d+-\d+|jmsListener\w-\d+)"
        | transaction thread startswith="WebService Request: \<?xml" endswith="WebService Response: \<?xml"  ]
| eval ms= duration*1000 

Finally, you also had a syntax error in the second rex - there is no field name. But I copied it from the other example you gave. Although I am unclear why you need either of the rex commands...

View solution in original post

Highlighted

Re: Append or join transactions

Thanks a lot I tried with append. It works perfect!!!

0 Karma