Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I re-insert newlines into transaction raw message for dashboard?

stucky101
Engager
‎08-01-2022 11:42 AM

Gurus

I am working on a Studio Dash and I would like to add the output of a transaction the way it is usually shown in the search gui for debugging purposes so I can easily see if the transaction is correct.

Turns out the only option I seem to have is a table but here I only get the raw msg. That's ugly and unreadable, of course, since the newlines are merged into one. 

Is there a way to do this within a dashboard and make the message look just like in the search gui ? Perhaps I could re-insert the newlines ?

 

Thx

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-01-2022 11:50 PM

Hi @stucky101,

why don't you try to avoid transaction command to have the result you want?

in other words: if you have to group events by a key (called "your_key") and you want to display three fields, instead this transaction command:

<your_search>
| transaction your_key
| table _time your_key field1 field2 field3

you could run:

<your_search>
| stats 
   earliest(_time) AS _time 
   values(field1) AS field1
   values(field2) AS field2
   values(field3) AS field3
   BY your_key

Ciao.

Giuseppe

0 Karma
Reply

stucky101
Engager
‎08-02-2022 12:25 PM

Giuseppe

I have many transactions and some are more complex including startswith. I'm trying to extract an Infoblox zone transfer and that is proving challenging but transactions have helped a lot.

I also do  the tr by more than one field. F.e. here I have extracted the zone name and then I do this"

query | rex for zone | transaction endswith="Transfer completed:" by host,zone

Besides, Im sure there are times when you definitely need a transaction and I was just wondering if you can re-format those back into the same style that the searchapp displays them.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...