Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter results AFTER transaction function

timmy13
Communicator
‎06-06-2011 09:21 AM

I have data that requires I use "transaction" to form events. I would like to filter the resulting data by a field (Source_IP) after the transaction function. But using the where function seems to have no result.

source=*.log |transaction maxspan=10s maxpause=2 |where Source_IP="192.168.168.73"|chart........

The results still include all Source_IP's, not just the one in the where clause.

Any ideas?

Tags (2)
Reply

moesaidi
Path Finder
‎07-26-2017 06:39 AM

Seeing the same effect in 6.5.2
Trying to form events using transaction but exclude specific entries, WHERE, and SEARCH both don't seem to do anything after a transaction command.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-25-2011 10:41 AM

After a transaction, all the fields of the transactions are merged into a single field.
if they are the same, only one is kept, if they are different, they are all concatenated.

example



search * |eval raw=_raw | table host source source_IP raw

hostA sourceA  192.168.168.73 "myrawevent"

hostA sourceA  192.168.168.10 "mysecondrawevent"

after the transastion



search | transaction |eval raw=_raw | table host source source_IP raw

hostA sourceA "192.168.168.73 192.168.198.10" "myrawevent mysecondrawevent"

so you may want to filter using wildcards, like

source=*.log |transaction maxspan=10s maxpause=2 |WHERE Source_IP="*192.168.168.73*"

or

source=*.log |transaction maxspan=10s maxpause=2 | WHERE like(Source_IP,"%192.168.168.73%")

or

source=*.log |transaction maxspan=10s maxpause=2 |search Source_IP="*192.168.168.73*"
Reply

sideview
SplunkTrust
SplunkTrust
‎06-06-2011 09:59 AM

Here are some things I would double check.

Are you sure the case is the same? Field names are case sensitive.

Does the search command also fail to filter them out? Generally I use search unless I need something that only where has, like where fooField=barField.

If you put wrap the IP in wildcards does it still fail to match? It sounds dubious but maybe the extracted value ended up with a space character on one side or the other.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎06-06-2011 10:52 AM

Hmm.. Well im not positive that it's a bug, and others might still post more troubleshooting ideas, but at this point I'd send it in to support@splunk.com so they can start looking at it for you and asking around internally.

0 Karma
Reply

timmy13
Communicator
‎06-06-2011 10:44 AM

Thanks for responding Nick. Yes, I tried search as well with the same results. And I have confirmed the case. Wildcards around the IP doesn't resolve it.

To make sure, I stuck the IP address in the first part of the search and got data. Of course, searching before the transaction screws up my results.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...