Splunk Search
Highlighted

How to compare values of a field in a transaction?

Communicator

Is it possible to compare values in a transaction?

I have a transaction with maxspan of 5 minutes, which group events which happened within 5 minutes of each other.

I want to compare the values of a field inside the transaction, and if the fields are similar, it will create a new value in a new field.

EDIT: I also want to check if the transactions happen between a certain time range, e.g. 8pm to 5am, and if it falls in the time range, create a new value in a new field too.

0 Karma
Highlighted

Re: How to compare values of a field in a transaction?

Legend

Yes, it is possible. However, you haven't given enough information for me to provide detailed information on how to do it. So here is some general information that may help

 yoursearchhere
| transaction whatever here maxspan=5m
| eval transaction_hour=strftime(_time,"%H")
| eval nighttime=if(transaction_hour>=20 OR transaction_hour<=5,"yes","no")
| eval diff=mvindex(yourField,0) - mvindex(yourField,-1)
| eval newField=if(diff<10,"newValue",null())
| eval newField=if(isnull(mvindex(yourField,0)) OR isnull(mvindex(yourField,-1)),null(),newField)

with a line by line explanation:
line 3 - _time represents the start time of the transaction. From _time, extract the hour.
line 4 - if the hour is between 8 pm and 5 am, set the new field "nighttime" to yes, otherwise set it to no
line 5 - for a field named "yourField," calculate the difference between the first event in the transaction and the last event in the transaction
line 6 - if the difference is less than 10, create a new field and set it to "newValue" otherwise, set the field to null
line 7 - also set the newField to null if yourField was null in either the first event or the last event of the transaction

HTH

Highlighted

Re: How to compare values of a field in a transaction?

Communicator

Thanks. I believe part of your answer will work but, some parts may not. For example, the field, yourField will not be a numerical value. It will be a string(IP address) I would like to compare the different yourFields in the transaction and if there are more than one, newField will become "Multiple Sources"

EDIT: Is it possible to do the transaction_hour down to half an hour too? Is it like this?

| eval transaction_hour=strftime(_time,"%H%M")
| eval nighttime=if(transaction_hour>=1800 OR transaction_hour<=0830,"yes","no")
0 Karma
Highlighted

Re: How to compare values of a field in a transaction?

Legend

If it only 1 field you want to compare, you can do the normal dedup. Like this

yoursearchhere
 | transaction whatever here maxspan=5m
 | eval transaction_hour=strftime(_time,"%H")
 | eval nighttime=if(transaction_hour>=20 OR transaction_hour<=5,"yes","no")
 | streamstats count
 | mvexpand yourField
 | dedup count yourField
 | mvcombine yourField
 | eval newField=if(mvcount(yourField)>1, "Multi Source", "Single Source")
0 Karma
Highlighted

Re: How to compare values of a field in a transaction?

Communicator

Unfortunately, it's not only one field.

0 Karma
Highlighted

Re: How to compare values of a field in a transaction?

Legend

Try this approach

yoursearchhere
| bin span=5m _time
| eval whatever=_time."#".whatever
| stats span=5m values(yourField1) as yourField1 values(yourField2) as yourField2  by whatever
| eval transaction_hour=strftime(_time,"%H")
| eval nighttime=if(transaction_hour>=20 OR transaction_hour<=5,"yes","no")
| eval newField=if(mvcount(yourField1)>1, "Multi Source", "Single Source")
| rex field="whatever" "(?<_time>[^#]+)#(?<whatever>.*)"
| fields _time whatever yourField1 yourField2 etc
Highlighted

Re: How to compare values of a field in a transaction?

Communicator

Thanks! I just needed the

| eval newField=if(mvcount(yourField1)>1, "Multi Source", "Single Source")
0 Karma
Highlighted

Re: How to compare values of a field in a transaction?

Legend

Yeah, I missed that. Please accept this answer to close it out.

0 Karma
Highlighted

Re: How to compare values of a field in a transaction?

Communicator

But I got part of the answer from yours and part of the answer from the other answer. 😕

0 Karma
Highlighted

Re: How to compare values of a field in a transaction?

Legend

@ZacEsa, pick the answer closest to the one that worked and post the final query you used. This will help other users with similar situation find the right answer faster. That's what this community is about.

The two answers here have one basic difference, one uses the transaction (@lguinn) to group events, the other uses bin + stats to group events.