Splunk Search

Filter results AFTER transaction function

timmy13
Communicator

I have data that requires I use "transaction" to form events. I would like to filter the resulting data by a field (Source_IP) after the transaction function. But using the where function seems to have no result.

source=*.log |transaction maxspan=10s maxpause=2 |where Source_IP="192.168.168.73"|chart........

The results still include all Source_IP's, not just the one in the where clause.

Any ideas?

Tags (2)

moesaidi
Path Finder

Seeing the same effect in 6.5.2
Trying to form events using transaction but exclude specific entries, WHERE, and SEARCH both don't seem to do anything after a transaction command.

0 Karma

yannK
Splunk Employee
Splunk Employee

After a transaction, all the fields of the transactions are merged into a single field.
if they are the same, only one is kept, if they are different, they are all concatenated.

example


search * |eval raw=_raw | table host source source_IP raw
hostA sourceA 192.168.168.73 "myrawevent"
hostA sourceA 192.168.168.10 "mysecondrawevent"

after the transastion


search | transaction |eval raw=_raw | table host source source_IP raw
hostA sourceA "192.168.168.73 192.168.198.10" "myrawevent mysecondrawevent"

so you may want to filter using wildcards, like

source=*.log |transaction maxspan=10s maxpause=2 |WHERE Source_IP="*192.168.168.73*"

or

source=*.log |transaction maxspan=10s maxpause=2 | WHERE like(Source_IP,"%192.168.168.73%")

or

source=*.log |transaction maxspan=10s maxpause=2 |search Source_IP="*192.168.168.73*"

sideview
SplunkTrust
SplunkTrust

Here are some things I would double check.

Are you sure the case is the same? Field names are case sensitive.

Does the search command also fail to filter them out? Generally I use search unless I need something that only where has, like where fooField=barField.

If you put wrap the IP in wildcards does it still fail to match? It sounds dubious but maybe the extracted value ended up with a space character on one side or the other.

0 Karma

sideview
SplunkTrust
SplunkTrust

Hmm.. Well im not positive that it's a bug, and others might still post more troubleshooting ideas, but at this point I'd send it in to [email protected] so they can start looking at it for you and asking around internally.

0 Karma

timmy13
Communicator

Thanks for responding Nick. Yes, I tried search as well with the same results. And I have confirmed the case. Wildcards around the IP doesn't resolve it.

To make sure, I stuck the IP address in the first part of the search and got data. Of course, searching before the transaction screws up my results.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...