Re: Correlating transaction results

ellothere · ‎02-11-2019

I have a dataset with timestamp, model, and ID. I am trying to correlate the events so that I can see all of the IDs that belong to a particular model. Typical logs look something like this:

{"time" : "2019-02-11 12:45:39", "model" : "alpha", "id" : "id1"}
{"time" : "2019-02-11 12:45:40", "model" : "alpha", "id" : "id2"}
{"time" : "2019-02-11 11:50:40", "model" : "alpha", "id" : "id2"}
{"time" : "2019-02-11 11:50:41", "model" : "alpha", "id" : "id3"}
{"time" : "2019-02-11 12:00:41", "model" : "alpha", "id" : "id4"}

From this data I made the search:

sourcetype="_json" id=* model=alpha
| rename model as "Model" date_minute as "Minute" date_mday as "Date" date_hour as "Hour" id as "ID"
| transaction "Model" maxspan=1m 
| sort - _time
| table "Model" "Date" "Hour" "Minute" "ID"

The problem becomes that the model=alpha has three IDs associated with it. Currently, my transaction groups them as firstCell={id1, id2} , secondCell={id2, id3} , and thirdCell={id4}. Is there a way I can produce something that looks like this firstCell={id1, id2, id3} and secondCell={id4} ?

Thank you all in advance!

adonio · ‎02-12-2019

not sure i understand your question, but ill give it a shot
you can use the different arguments that comes with the transaction command to align to your needs
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchReference/Transaction

Correlating transaction results

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!