Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter results AFTER transaction function

timmy13
Communicator
‎06-06-2011 09:21 AM

I have data that requires I use "transaction" to form events. I would like to filter the resulting data by a field (Source_IP) after the transaction function. But using the where function seems to have no result.

source=*.log |transaction maxspan=10s maxpause=2 |where Source_IP="192.168.168.73"|chart........

The results still include all Source_IP's, not just the one in the where clause.

Any ideas?

Tags (2)
Reply

moesaidi
Path Finder
‎07-26-2017 06:39 AM

Seeing the same effect in 6.5.2
Trying to form events using transaction but exclude specific entries, WHERE, and SEARCH both don't seem to do anything after a transaction command.

0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎10-25-2011 10:41 AM

After a transaction, all the fields of the transactions are merged into a single field.
if they are the same, only one is kept, if they are different, they are all concatenated.

example



search * |eval raw=_raw | table host source source_IP raw

hostA sourceA  192.168.168.73 "myrawevent"

hostA sourceA  192.168.168.10 "mysecondrawevent"

after the transastion



search | transaction |eval raw=_raw | table host source source_IP raw

hostA sourceA "192.168.168.73 192.168.198.10" "myrawevent mysecondrawevent"

so you may want to filter using wildcards, like

source=*.log |transaction maxspan=10s maxpause=2 |WHERE Source_IP="*192.168.168.73*"

or

source=*.log |transaction maxspan=10s maxpause=2 | WHERE like(Source_IP,"%192.168.168.73%")

or

source=*.log |transaction maxspan=10s maxpause=2 |search Source_IP="*192.168.168.73*"
Reply

sideview
SplunkTrust
SplunkTrust
‎06-06-2011 09:59 AM

Here are some things I would double check.

Are you sure the case is the same? Field names are case sensitive.

Does the search command also fail to filter them out? Generally I use search unless I need something that only where has, like where fooField=barField.

If you put wrap the IP in wildcards does it still fail to match? It sounds dubious but maybe the extracted value ended up with a space character on one side or the other.

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎06-06-2011 10:52 AM

Hmm.. Well im not positive that it's a bug, and others might still post more troubleshooting ideas, but at this point I'd send it in to support@splunk.com so they can start looking at it for you and asking around internally.

0 Karma
Reply

timmy13
Communicator
‎06-06-2011 10:44 AM

Thanks for responding Nick. Yes, I tried search as well with the same results. And I have confirmed the case. Wildcards around the IP doesn't resolve it.

To make sure, I stuck the IP address in the first part of the search and got data. Of course, searching before the transaction screws up my results.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...