Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering Hosts within a Transaction

tbrown
Path Finder
‎07-30-2020 10:00 AM

So I have a search that is structured as follows 

index=main <filtering for start and end events> OR <filtering for events within start and end events>  | rex field=_raw "...<Rising_Node>..." | rex field=_raw "...<Falling_Node>..." | transaction startswith="..." endswith="..."

The rex fields work, the transaction works, etc. However, In the events within the transaction, it pulls from every host that fits the filtering. Basically, I want to limit the transaction to only include the hosts that are listed in the Falling_Node and Rising_Node fields. I've tried adding "host=Falling_Node OR host=Rising_Node" in the "filtering for events within start and end events" but it either clears all events out of the transaction or does nothing.

Does anyone have tips?

Labels (4)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2020 10:12 AM

You can tell the transaction command to use fields when matching up events.  Something like this

index=main <filtering for start and end events> OR <filtering for events within start and end events>  
| rex field=_raw "...<Rising_Node>..." | rex field=_raw "...<Falling_Node>..." 
| transaction Rising_Node, Falling_Node startswith="..." endswith="..."
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tbrown
Path Finder
‎07-30-2020 12:56 PM

@richgalloway 

That would be a good solution, however only one  event (the last event) in my transactions actually contain the fields "Rising_Node" and "Falling_Node". That means that I can't sort the transaction like you mentioned because it would never find the "startswith" event to make the transactions. Do you have any alternative solutions?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2020 01:19 PM

Perhaps this?

index=main <filtering for start and end events> OR <filtering for events within start and end events>  
| rex field=_raw "...<Rising_Node>..." | rex field=_raw "...<Falling_Node>..." 
| where (host=Rising_Node OR host=Falling_Node)
| transaction startswith="..." endswith="..."
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tbrown
Path Finder
‎07-30-2020 02:15 PM

@richgalloway Unfortunately that didn't work either and it returns no results.   

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...