Can I Transaction a search with a range field, not...

crazyeva · ‎07-24-2012

Such as "* | transaction field" (field=1,2,3,4,5,6) means exactly the same field will be found
But i want something like "* |transaction range(field)<3 " to find a result with range field
field 1,2,3 will be grouped， and so does 4，5，6

Could someone help me？

EDIT:
Thank for Ayn's help
maybe this could work with a little modification:
1. find event-arrays start at similer time 5min
2. find event-arrays end at similer time 5min (use"_time=_time+duration" to reorder event-arrays)
3. inner join them with the same _raw date
But what a pity it runs confused:

Go on looking for sulation for this case .....

Ayn · ‎07-24-2012

While the transaction command itself does not support ranges, you could combine it with an eval before it to set specific values for a field based on an input range and then have transaction operate on that field instead.

* | eval fieldrange=case(field<=3,"1-3",field>=4 AND field<=6,"4-6",field>6,"others")
| transaction fieldrange

EDIT: So, I still think you could achieve what you want by using the technique I showed you.

* | transaction ... | rename duration as perduration | eval drange=case(perduration<300,"<300",perduration>=300 AND perduration<=1000,"300-1000","someothercondition,"someothervalue") | transaction maxspan=5m drange

Or do you want to somehow dynamically calculate the range, so that given a value, say 1520, others that have a value that falls within a range of 300 (or +-150) should be grouped together with this? I'm pretty sure that will be very tricky to accomplish.

crazyeva · ‎07-25-2012

Oh that's a talented idea to write "_time" , I am trying this.
Events spacing is a true problem.
Maybe:
1000,1001,1002,1003,1300,1301
"range300" will find only one group "1000-1003,1300". but "1300,1301" seem more like a group which should be find out!
However a close result is enough!
I think the range i take much bigger then events spacing frequency , will helps me close to the true result.
Thank you very much!

Ayn · ‎07-25-2012

The thing is, you would have to handle how to group the values. Let's say that your values were to be evenly spaced with 100 between them, so 1000,1100,1200,1300 etc. How would that case be handled if you want 300 as a maxrange? Which value should be chosen as the "center point" and which values should be included? If you just grab them all as long as the next event is within 300 from the previous event, you'll end up with a mammoth of a transaction event.

The only way I could think of is to violate the _time somehow by writing perduration to _time and let transaction operate on that.

crazyeva · ‎07-25-2012

#1 (after 2nd transaction) = #2+#3+4#(before the 2nd transaction)
Exactly what you say, is what we try to do, a very tricky search. 🙂

Things seem not relative are related. tricky search has more benefits.
Can you help me or I have no hope at all to make it?
Thank you！

Ayn · ‎07-25-2012

Yes, but what about event 2, 3, 4 and 5?

EDIT: Ah, I take it the maxspan parameter refers to the second transaction you're trying to create, not the first. Updating my answer a bit.

crazyeva · ‎07-25-2012

you see in the second transaction, event-1#'s duration is 120s (from 6:01 to 6:03) which is less than 5m(300s). I have confirmed this with several test: transaction duration calculates start time of each event, no matter how log the event them selves last.
I am try to search for event-arrays (events related by some fields) with similar start time, and similar end time, no other relation.

Ayn · ‎07-25-2012

I'm sorry, I don't follow you. If you set a maxspan=5m (= 300 seconds), how could you get a duration of more than that? I'm also not following the way you define "range" in your scenario.

crazyeva · ‎07-25-2012

I mean : not perduration<300 but range(perduration)<300
if the results of former transaction :
# _time duration eventcount
1 6:00 250 10
2 6:01 1520 10
3 6:02 1521 10
4 6:03 1523 10
5 6:04 2300 10
6 .....
then in the later transaction, event 2#,3#,4# will match.
1# and 5# will not, the result I wanted is like:
# _time duration eventcount perduration
1 6:01 120 3 1520
1521
1523
2 .....
Thank you!

Ayn · ‎07-25-2012

Like I said in my answer, transaction itself does not support a range like that. That's the reason for doing the eval trick.

If you just want this for filtering out transactions, why not use | search perduration<300?

crazyeva · ‎07-25-2012

Thanks for help me!
This solution solves my question.
But I still have the problem in the case I'm facing.
In fact, field=num1,num2...numN, as a "duration" field generated by a former Transaction command.
I want then to find out event-arrays with similar start time(within 5min) and almost a same duration, in other words, similar end time.
I tryed "* | transaction ... | rename duration as perduration | transaction maxspan=5m range(perduration)<300"
All things goes well but "range" in "transaction" does not work.
How could I make it?
Thank everyone trys to help!

Can I Transaction a search with a range field, not stricted?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?