Splunk Search

How to combine multiple transactions and still see the events grouped by transaction?

swimboy
New Member

I've created two transaction types, one named mail that finds all of the postfix events with the same queue_id; and second named spamd that finds all of the spamassassin records for a single email by using the pid and startswith and endswith criteria. I've also extracted a custom field named spamd_message_id that matches the message_id in the postfix events.

The standard flow of email through my system goes through postfix, then gets passed off to spamassassin if not rejected by an RBL, then back to postfix to be delivered to the user.

If I search like this: sourcetype=syslog | transaction name=mail, I get a list of postfix transactions as I expect. Likewise, if I search like this: sourcetype=syslog | transaction name=spamd, I get a list of spamassassin transactions.

But I can't figure out how to combine the three transactions that are all related by the message_id and spamd_message_id fields. I've put eval new_message_id=if(len(message_id)>0,message_id,if(len(spamd_message_id)>0,spamd_message_id,NULL)) before the transactions so that new_message_id can be a common field between the two transactions, but I can't find any way of combining them.

What can I do to see all of the events from the two different transaction types grouped together by new_message_id?

0 Karma

sundareshr
Legend

See if this works for you

sourcetype=syslog name=mail OR name=spamd | eval messageid=coalesce(message_id, spamd_message_id) | eventstats values(pid) as pid by messageid | table _time  _raw messageid pid | sort messageid

*OR*

sourcetype=syslog name=mail OR name=spamd | eval messageid=coalesce(message_id, spamd_message_id) | eventstats last(pid) as pid by messageid | stats list(_raw) as _raw list(_time) as _time by messageid pid
0 Karma

swimboy
New Member

This doesn't work because it's not a field named "name", but a transaction named "mail" or "spamd" that selects the information that I'm interested in. I can't seem to use the OR command to combine two transaction searches into one result. I was hoping that I could use

sourcetype=syslog | transaction name=(mail OR spamd)

at the beginning of my search, but no matter how I structure the query, I keep getting the error that "name" should not be specified more than once.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...