Re: Correlating transaction results

ellothere · ‎02-11-2019

I have a dataset with timestamp, model, and ID. I am trying to correlate the events so that I can see all of the IDs that belong to a particular model. Typical logs look something like this:

{"time" : "2019-02-11 12:45:39", "model" : "alpha", "id" : "id1"}
{"time" : "2019-02-11 12:45:40", "model" : "alpha", "id" : "id2"}
{"time" : "2019-02-11 11:50:40", "model" : "alpha", "id" : "id2"}
{"time" : "2019-02-11 11:50:41", "model" : "alpha", "id" : "id3"}
{"time" : "2019-02-11 12:00:41", "model" : "alpha", "id" : "id4"}

From this data I made the search:

sourcetype="_json" id=* model=alpha
| rename model as "Model" date_minute as "Minute" date_mday as "Date" date_hour as "Hour" id as "ID"
| transaction "Model" maxspan=1m 
| sort - _time
| table "Model" "Date" "Hour" "Minute" "ID"

The problem becomes that the model=alpha has three IDs associated with it. Currently, my transaction groups them as firstCell={id1, id2} , secondCell={id2, id3} , and thirdCell={id4}. Is there a way I can produce something that looks like this firstCell={id1, id2, id3} and secondCell={id4} ?

Thank you all in advance!

adonio · ‎02-12-2019

not sure i understand your question, but ill give it a shot
you can use the different arguments that comes with the transaction command to align to your needs
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Transaction

Correlating transaction results

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation