Splunk Search

Error using fields in transaction

timmy13
Communicator

I'm trying to define a transaction within a search in the Web UI. It works fine provided I only supply one field. However, if I use more than one field, seperated by commas, I get "The fields option is invalid when a list of fields is provided in the argument list."

The docs clearly state that the fields argument should be a comma delimited list of fields.

Any ideas?

Tags (2)
0 Karma
1 Solution

bwooden
Splunk Employee
Splunk Employee

The field list in a transaction command does not require an identifier.

It may be any field listed that is not part of an accepted parameter.

For example:

source=*.log |transaction maxspan=10s maxpause=2 UserID src_ip

OR

source=*.log |transaction UserID src_ip maxspan=10s maxpause=2 

If you choose to use an identifier, I have found (as have you) that one field works well - but two produces an error. You may quote the field list to remove that error, like this:

source=*.log |transaction maxspan=10s maxpause=2 fields="UserID,src_ip"

View solution in original post

bwooden
Splunk Employee
Splunk Employee

The field list in a transaction command does not require an identifier.

It may be any field listed that is not part of an accepted parameter.

For example:

source=*.log |transaction maxspan=10s maxpause=2 UserID src_ip

OR

source=*.log |transaction UserID src_ip maxspan=10s maxpause=2 

If you choose to use an identifier, I have found (as have you) that one field works well - but two produces an error. You may quote the field list to remove that error, like this:

source=*.log |transaction maxspan=10s maxpause=2 fields="UserID,src_ip"

timmy13
Communicator

I also get this... After the query tries to run...
Error in 'transaction': The fields option is invalid when a list of fields is provided in the argument list.

Seems contradictory, yet I'm sure it's just my lack of the proper usage.

0 Karma

timmy13
Communicator

source=*.log |transaction maxspan=10s maxpause=2 fields=UserID, src_ip

This fails with the error, but if I only use UserID, it works fine.

0 Karma

hazekamp
Builder

Timmy, can you provide your search?

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...