Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Fields from transaction not displaying in table after extra eval

thisissplunk
Builder
‎09-18-2015 09:51 AM

Hi,

I'm using the transaction command to combine two different events into one larger event with the user_id as the key. This works. What does not work is when I try to table the data. I cannot get an eval'ed string field to display in the table after I concat (+) the user_id field onto the end of it.

Ex:

search...
| transaction fields="user_id" maxspan=60s
| where eventcount > 1
| eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
| table message

Message is completely blank! It's because of the addition of user_id, but I cannot figure why or how to make it work. If I put user_id in the table as its own column, that displays just fine. I understand user_id is a mv field at this point, but I've tried every eval mv field operator with no success. Nomv, mvjoin, mvindex etc.

Help!

edit: Also, if I do a nomv, mvjoin or mvindex on user_id and set that to a new field OR just blah=user_id, that new field is also blank if I put it in the table! If I use mvlist=t, then a | eval test=mvjoin(user_id, " and ")..... test shows "NULL and NULL" in the table.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thisissplunk
Builder
‎09-21-2015 08:43 AM

Could not figure out root cause of why mv commands, . or + were not working. Used a rex on raw to manually pull the field out of the raw transaction event instead. This did work:

| rex field=_raw "user_id:(?<id>.+?)\}"

I now have an "id" field that works and displays like normal. Interestingly enough, this solution does not work when mvraw=t.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thisissplunk
Builder
‎09-21-2015 08:43 AM

Could not figure out root cause of why mv commands, . or + were not working. Used a rex on raw to manually pull the field out of the raw transaction event instead. This did work:

| rex field=_raw "user_id:(?<id>.+?)\}"

I now have an "id" field that works and displays like normal. Interestingly enough, this solution does not work when mvraw=t.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-21-2015 08:35 AM

Could you try this

search...
  | eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + tostring(user_id)
  | transaction fields="user_id" maxspan=60s
  | where eventcount > 1 | rename user_id as mesage
  | table message
0 Karma
Reply
Solved! Jump to solution

thisissplunk
Builder
‎09-21-2015 08:41 AM

This one didn't work either. I would of thought one of your suggestions would have. I've ended up using rex to pull the field I want from the _raw instead. This is working.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-18-2015 01:46 PM

Try changing the + to .

If Splunk thinks user_id is a number, it may be trying to do a mathematical addition instead of a string concatenation. Really that should probably be a bug if that is what is happening (it is fine for Splunk to guess "math" but ones that turns out not to work, it should default to "concatenation").

Reply
Solved! Jump to solution

thisissplunk
Builder
‎09-21-2015 07:28 AM

This does not work either. I'm out of ideas. Is there any way to debug the fields, or anything else that can help me find a definitive answer?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-18-2015 10:01 AM

Can you try thse:-

search...
 | transaction fields="user_id" maxspan=60s
 | where eventcount > 1 | nomv user_id
 | eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
 | table message

search...
 | transaction fields="user_id" maxspan=60s
 | where eventcount > 1 | table user_id | mvexpand user_id | dedup user_id
 | eval message="Hi, this user was found to be doing a set of actions they shouldn't be: " + user_id
 | table message
0 Karma
Reply
Solved! Jump to solution

thisissplunk
Builder
‎09-18-2015 10:10 AM

Sadly neither of those worked. message is blank but user_id is not. I've tried the other mv commands as well. Mvjoin used to work for me which is even stranger.

Is it possible the data types are not lining up? Is there a way to check this? Any other things I can do to debug and get some solid answers?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...