Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I create a transaction when not all fields are present?

mayakulkarni
New Member
‎09-06-2016 02:13 PM

Hi!

I am a Splunk beginner and have the following question.

I have some events I would like to transact, but not all field values are present in all events. E.g:

Event1: cookie, ip
Event2: c_ip (value is same as ip field in event1)
Event3: client_ip (value same as ip field in event1)

I want events that have different values for the field cookie, but the same IP to be put into a different transaction, so this is why I cannot just rename the ip fields and transact on the ip.

Thanks!

0 Karma
Reply

sundareshr
Legend
‎09-06-2016 03:46 PM

You need the coalesce command. Like this

... | eval ip=coalesce(ip, src_ip, client_ip) | transaction ip

http://blogs.splunk.com/2014/03/21/search-command-coalesce/

0 Karma
Reply

mayakulkarni
New Member
‎09-06-2016 04:12 PM

thanks, but one more questioN: I can see how this will work for the ip fields I have, but will this help for transacting based on a unique cookie and ip pair? my situation is as follows:

event1: cookie=sugar, ip=1.0
event2: c_ip=1.0
event3: client_ip=1.0

event4: cookie=chocolate, ip=1.0
event5: c_ip=1.0
event6: client_ip=1.0

in this scenario, i want events 1-3 to be transacted together, and events 4-6 to be transacted together

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...