Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering Hosts within a Transaction

tbrown
Path Finder
‎07-30-2020 10:00 AM

So I have a search that is structured as follows 

index=main <filtering for start and end events> OR <filtering for events within start and end events>  | rex field=_raw "...<Rising_Node>..." | rex field=_raw "...<Falling_Node>..." | transaction startswith="..." endswith="..."

The rex fields work, the transaction works, etc. However, In the events within the transaction, it pulls from every host that fits the filtering. Basically, I want to limit the transaction to only include the hosts that are listed in the Falling_Node and Rising_Node fields. I've tried adding "host=Falling_Node OR host=Rising_Node" in the "filtering for events within start and end events" but it either clears all events out of the transaction or does nothing.

Does anyone have tips?

Labels (4)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2020 10:12 AM

You can tell the transaction command to use fields when matching up events.  Something like this

index=main <filtering for start and end events> OR <filtering for events within start and end events>  
| rex field=_raw "...<Rising_Node>..." | rex field=_raw "...<Falling_Node>..." 
| transaction Rising_Node, Falling_Node startswith="..." endswith="..."
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tbrown
Path Finder
‎07-30-2020 12:56 PM

@richgalloway 

That would be a good solution, however only one  event (the last event) in my transactions actually contain the fields "Rising_Node" and "Falling_Node". That means that I can't sort the transaction like you mentioned because it would never find the "startswith" event to make the transactions. Do you have any alternative solutions?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-30-2020 01:19 PM

Perhaps this?

index=main <filtering for start and end events> OR <filtering for events within start and end events>  
| rex field=_raw "...<Rising_Node>..." | rex field=_raw "...<Falling_Node>..." 
| where (host=Rising_Node OR host=Falling_Node)
| transaction startswith="..." endswith="..."
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

tbrown
Path Finder
‎07-30-2020 02:15 PM

@richgalloway Unfortunately that didn't work either and it returns no results.   

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...