Splunk Search

Error using fields in transaction

Communicator

I'm trying to define a transaction within a search in the Web UI. It works fine provided I only supply one field. However, if I use more than one field, seperated by commas, I get "The fields option is invalid when a list of fields is provided in the argument list."

The docs clearly state that the fields argument should be a comma delimited list of fields.

Any ideas?

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

The field list in a transaction command does not require an identifier.

It may be any field listed that is not part of an accepted parameter.

For example:

source=*.log |transaction maxspan=10s maxpause=2 UserID src_ip

OR

source=*.log |transaction UserID src_ip maxspan=10s maxpause=2 

If you choose to use an identifier, I have found (as have you) that one field works well - but two produces an error. You may quote the field list to remove that error, like this:

source=*.log |transaction maxspan=10s maxpause=2 fields="UserID,src_ip"

View solution in original post

Splunk Employee
Splunk Employee

The field list in a transaction command does not require an identifier.

It may be any field listed that is not part of an accepted parameter.

For example:

source=*.log |transaction maxspan=10s maxpause=2 UserID src_ip

OR

source=*.log |transaction UserID src_ip maxspan=10s maxpause=2 

If you choose to use an identifier, I have found (as have you) that one field works well - but two produces an error. You may quote the field list to remove that error, like this:

source=*.log |transaction maxspan=10s maxpause=2 fields="UserID,src_ip"

View solution in original post

Communicator

I also get this... After the query tries to run...
Error in 'transaction': The fields option is invalid when a list of fields is provided in the argument list.

Seems contradictory, yet I'm sure it's just my lack of the proper usage.

0 Karma

Communicator

source=*.log |transaction maxspan=10s maxpause=2 fields=UserID, src_ip

This fails with the error, but if I only use UserID, it works fine.

0 Karma

Builder

Timmy, can you provide your search?