Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter transaction

indeed_2000
Motivator
‎11-03-2023 03:24 AM

Hi

i have log line like this,

1-need to group by them by ID,

2- filter those transactions that has T[A]

 

#txn1
16:30:53:002 moduleA ID[123]
16:30:54:002 moduleA ID[123]
16:30:55:002 moduleB ID[123]T[A]
16:30:56:002 moduleC ID[123]

#txn2
16:30:57:002 moduleD ID[987]
16:30:58:002 moduleE ID[987]T[B]
16:30:59:002 moduleF ID[987]
16:30:60:002 moduleZ ID[987]

 

Any idea?

Thanks

Labels (4)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2023 03:57 AM

What fields do you already have extracted?

By "filter" do you mean filter in or filter out i.e. do you want to keep the events with T[A], keep only those events with T[A] or remove them altogether?

0 Karma
Reply

indeed_2000
Motivator
‎11-03-2023 10:15 AM

@ITWhisperer need to see filter out/in result to decide.

All fields extracted already.

need keep the events with T[A].

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2023 12:02 PM 
| sort 0 ID
0 Karma
Reply

indeed_2000
Motivator
‎11-03-2023 12:13 PM

@ITWhisperer ?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2023 12:25 PM

Your events will be together by ID

0 Karma
Reply

indeed_2000
Motivator
‎11-03-2023 01:01 PM

@ITWhisperer 

How about other part? 

FYI: i mean extract key value one by one with rex command not whole transaction.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-03-2023 01:52 PM

Not sure I understand, you just said all fields already extracted?

0 Karma
Reply

indeed_2000
Motivator
‎11-03-2023 02:04 PM

@ITWhisperer i mean id, t , … key value extracted not transaction.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-04-2023 03:19 AM

What do you mean by transaction?

0 Karma
Reply

indeed_2000
Motivator
‎11-04-2023 07:49 AM

@ITWhisperer 

#txn1
16:30:53:002 moduleA ID[123]
16:30:54:002 moduleA ID[123]
16:30:55:002 moduleB ID[123]T[A]
16:30:56:002 moduleC ID[123]

#txn2
16:30:57:002 moduleD ID[987]
16:30:58:002 moduleE ID[987]T[B]
16:30:59:002 moduleF ID[987]
16:30:60:002 moduleZ ID[987]

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-04-2023 09:23 AM

How do you determine which events are part of a "transaction"?

0 Karma
Reply

indeed_2000
Motivator
‎11-04-2023 09:25 AM

@ITWhisperer group by id

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-04-2023 09:31 AM 
| stats list(_raw) as _raw by ID
0 Karma
Reply

indeed_2000
Motivator
‎11-04-2023 11:20 AM

@ITWhisperer you miss main question and I tell you step by step main question!

Would you please check main question? And tell me is there any way to do that?

thanks

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-04-2023 01:09 PM 
| stats list(_raw) as _raw list(T) as T by ID
| where T=="A"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...