Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a transaction that startswith=(something!="(null)") endswith=(something="(null)")

ib_321
New Member
‎01-26-2018 10:47 AM

My goal is to create a transaction that ends with customerId being "(null)" and starts with customerId being something other than "(null)". Here is my query:

... | transaction deviceId startswith=(customerId!="(null)") endswith=(customerId="(null)") maxspan=10m | stats count by deviceId

When I inspect the resulting list of deviceIds, none of them meet the criteria that I wanted for my transaction--none of them go from customerId!="(null)" to customerId="(null)". I have tried reversing the log ... | reverse | transaction ..., but I get the same result.

The only explanation I have come up with is that this has something to do with comparison to "(null)"--that in the end customerId will always be "(null)" after the last event--but this query compares customerId to the string "(null)" so that doesn't make sense.

Any help would be greatly appreciated. Thanks in advance.

Tags (2)
0 Karma
Reply

493669
Super Champion
‎01-26-2018 11:08 AM

Hi @ib_321,
before transaction command add | fillnull which will fill all null values by zero
try below:

...| fillnull| transaction deviceId startswith=(customerId!="0") endswith=(customerId="0") maxspan=10m | stats count by deviceId
0 Karma
Reply

ib_321
New Member
‎01-26-2018 12:16 PM

Thank you for your response. This didn't resolve the issue.

I don't think fillnull, replaces "(null)". For example,

... | fillnull | search customerId="(null)"

returns a bunch of events.

0 Karma
Reply

ddrillic
Ultra Champion
‎01-26-2018 12:26 PM

Interesting, the documentation at fillnull

says - 

... | fillnull

-- For the current search results, fill all empty fields with zero.

0 Karma
Reply

493669
Super Champion
‎01-26-2018 12:29 PM

ohhk..i thought its null field but it's a string (null)
Try below:

... | transaction deviceId startswith=(customerId!="(null)") endswith=eval(match(customerId, "(null)")) mvlist=true maxspan=10m | stats count by deviceId
0 Karma
Reply

ib_321
New Member
‎01-26-2018 03:22 PM

That seems to have solved my problem. Thank you!

Can you explain why this query worked while mine didn't?

0 Karma
Reply

493669
Super Champion
‎01-26-2018 08:21 PM

I think your query will also work just add mvlist=true

... | transaction deviceId startswith=(customerId!="(null)") endswith=(customerId="(null)") mvlist=true maxspan=10m | stats count by deviceId

The mvlist attribute controls whether the multivalue fields of the transaction are (1) a list of the original events ordered in arrival order or (2) a set of unique field values ordered lexigraphically. If a comma- or space-delimited list of fields is provided, only those fields are rendered as lists.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...