Hi,
I have a search using transaction command
mysearch | transaction startswith=start endswith=end
and I am getting several events as one event, i would like those events to be displayed in a table.
Is it possible to do so??
please help
Thank you
Just to follow up as I had a similar issue, I think that you can get all the lines that each transaction returns into a single row by using _raw as your field e.g.
transaction | table _raw field1 field2 etc etc
I think you want:
mysearch | transaction startswith=start endswith=end mvlist=t | table field1, field2, field3
By default transaction will "group" like values, mvlist tells it to display repeated values in your resulting table
The next issue i haven't figured out yet will be if you need to export the results. . .
I am using this search index=main source=file.txt|transaction startswith=TM_6000 endswith=TM_6020 maxevents=10000
and my output is like
It looks so crappy and i am not able to use redirection for this ... appending a table command after transaction gives
i want it as a normal table that i can provide external links to some of the field
like kkolb said: provide some samples, real samples of your log events. perhaps we are then able to help.....
i am not getting proper table .. the values are deduplicated , for example if the severity is info for 5 events, it will show only once, something like we used values(field) or list (field).. i am in need of exact table 😞
as Ayn already stated, why don't just use the table command next?
My log events are like this
timestamp ... event start ..
.
....some other events
.
timestamp... event end
.
.
timestamp..another eventstart
.
.
event end
So inorder to display all the events between start and stop i used transaction command
... | transaction startswith= "event star" ends with ="event end".. but i want those events to be displayed in tables.. How could i , is there any other alternative for transaction command?
Please help
I think a good idea would be to provide a few sample events, and a sketch of how you want the output.
So if it's the combined events you want to show, what's stopping you from using table?
Ayn, combined events that transaction creates should be displayed in tables and thereafter i have to use re-director to one of the field like severity.. i need to display all the events between specific keywords that is the reason i used transaction command
Which events, the pre-transaction individual events or the combined events that transaction creates?
Hi,
i dont want events as multivalued as because these events can be read through transaction command i did so.
i wan them to be in tables
a table command after transaction can do the job
smolcj, can you explain your use case more fully?
So you're combining multiple events into one event, then you want that event to be displayed as...multiple events again?
something related to this, but i my transaction uses startwith and endswith, i need tables in expanded form, now they are displaying as if i used list() ot values() i want it to be exactly like a normal table... any thoughts????
please help