Solved: How do I separate the results of a transaction to ...

gcusello · ‎01-12-2016

Hi at all,

I have to separate the results of a transaction to separately show each event.
I'd like to do this because I have to aggregate events into a transaction to verify some rules (eventcount), but after, I'd like to separately show events.

How can I do this?
thank you.
Bye.
Giuseppe

javiergn · ‎01-12-2016

Try this:

tag=SM 
| transaction sourcetype Application maxspan=300s mvraw=true
| eval myRaw = _raw
| mvexpand myRaw 
| rename myRaw as _raw

View solution in original post

woodcock · ‎01-13-2016

Don't use transaction in the first place.

javiergn · ‎01-12-2016

Try this:

tag=SM 
| transaction sourcetype Application maxspan=300s mvraw=true
| eval myRaw = _raw
| mvexpand myRaw 
| rename myRaw as _raw

fdi01 · ‎01-12-2016

What is the query that you're using to generate the results?

gcusello · ‎01-12-2016

It's a very simple search:
tag=SM | transaction sourcetype Application maxspan=300s

How do I separate the results of a transaction to separately show each event?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms