Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I re-insert newlines into transaction raw message for dashboard?

stucky101
Engager
‎08-01-2022 11:42 AM

Gurus

I am working on a Studio Dash and I would like to add the output of a transaction the way it is usually shown in the search gui for debugging purposes so I can easily see if the transaction is correct.

Turns out the only option I seem to have is a table but here I only get the raw msg. That's ugly and unreadable, of course, since the newlines are merged into one. 

Is there a way to do this within a dashboard and make the message look just like in the search gui ? Perhaps I could re-insert the newlines ?

 

Thx

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-01-2022 11:50 PM

Hi @stucky101,

why don't you try to avoid transaction command to have the result you want?

in other words: if you have to group events by a key (called "your_key") and you want to display three fields, instead this transaction command:

<your_search>
| transaction your_key
| table _time your_key field1 field2 field3

you could run:

<your_search>
| stats 
   earliest(_time) AS _time 
   values(field1) AS field1
   values(field2) AS field2
   values(field3) AS field3
   BY your_key

Ciao.

Giuseppe

0 Karma
Reply

stucky101
Engager
‎08-02-2022 12:25 PM

Giuseppe

I have many transactions and some are more complex including startswith. I'm trying to extract an Infoblox zone transfer and that is proving challenging but transactions have helped a lot.

I also do  the tr by more than one field. F.e. here I have extracted the zone name and then I do this"

query | rex for zone | transaction endswith="Transfer completed:" by host,zone

Besides, Im sure there are times when you definitely need a transaction and I was just wondering if you can re-format those back into the same style that the searchapp displays them.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...