Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a transaction that startswith=(something!="(null)") endswith=(something="(null)")

ib_321
New Member
‎01-26-2018 10:47 AM

My goal is to create a transaction that ends with customerId being "(null)" and starts with customerId being something other than "(null)". Here is my query:

... | transaction deviceId startswith=(customerId!="(null)") endswith=(customerId="(null)") maxspan=10m | stats count by deviceId

When I inspect the resulting list of deviceIds, none of them meet the criteria that I wanted for my transaction--none of them go from customerId!="(null)" to customerId="(null)". I have tried reversing the log ... | reverse | transaction ..., but I get the same result.

The only explanation I have come up with is that this has something to do with comparison to "(null)"--that in the end customerId will always be "(null)" after the last event--but this query compares customerId to the string "(null)" so that doesn't make sense.

Any help would be greatly appreciated. Thanks in advance.

Tags (2)
0 Karma
Reply

493669
Super Champion
‎01-26-2018 11:08 AM

Hi @ib_321,
before transaction command add | fillnull which will fill all null values by zero
try below:

...| fillnull| transaction deviceId startswith=(customerId!="0") endswith=(customerId="0") maxspan=10m | stats count by deviceId
0 Karma
Reply

ib_321
New Member
‎01-26-2018 12:16 PM

Thank you for your response. This didn't resolve the issue.

I don't think fillnull, replaces "(null)". For example,

... | fillnull | search customerId="(null)"

returns a bunch of events.

0 Karma
Reply

ddrillic
Ultra Champion
‎01-26-2018 12:26 PM

Interesting, the documentation at fillnull

says - 

... | fillnull

-- For the current search results, fill all empty fields with zero.

0 Karma
Reply

493669
Super Champion
‎01-26-2018 12:29 PM

ohhk..i thought its null field but it's a string (null)
Try below:

... | transaction deviceId startswith=(customerId!="(null)") endswith=eval(match(customerId, "(null)")) mvlist=true maxspan=10m | stats count by deviceId
0 Karma
Reply

ib_321
New Member
‎01-26-2018 03:22 PM

That seems to have solved my problem. Thank you!

Can you explain why this query worked while mine didn't?

0 Karma
Reply

493669
Super Champion
‎01-26-2018 08:21 PM

I think your query will also work just add mvlist=true

... | transaction deviceId startswith=(customerId!="(null)") endswith=(customerId="(null)") mvlist=true maxspan=10m | stats count by deviceId

The mvlist attribute controls whether the multivalue fields of the transaction are (1) a list of the original events ordered in arrival order or (2) a set of unique field values ordered lexigraphically. If a comma- or space-delimited list of fields is provided, only those fields are rendered as lists.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...