Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create transaction based on multiple extrac...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to create transactions out of following log data
2014-07-22 09:42:04.189 linguini.qualcomm.com: <send2mom version="4.0.7"><alert destination="ALL"><severity>critical</severity><kpiname>lanIf Bandwidth Utilization In</kpiname><target>EXT</target><targetparent>qc-markham1-gigabitethernet0/0/0-1</targetparent><errorcode /><date>1406046310</date><eventsourcehost>linguini</eventsourcehost><eventsource>CONCORD</eventsource><message>qc-markham1-gigabitethernet0/0/0-1 EXT -- Bandwidth in over 90% -- qc-markham1 GigabitEthernet0/0/0-1-EXT</message><notifygroup>NETRS</notifygroup></alert></send2mom>
2014-07-22 08:58:07.506 linguini.qualcomm.com: <send2mom version="4.0.7"><alert destination="ALL"><severity>normal</severity><kpiname>lanIf Bandwidth Utilization In</kpiname><target>EXT</target><targetparent>qc-markham1-gigabitethernet0/0/0-1</targetparent><errorcode /><date>1406040715</date><eventsourcehost>linguini</eventsourcehost><eventsource>CONCORD</eventsource><message>qc-markham1-gigabitethernet0/0/0-1 EXT -- Bandwidth in over 90% -- qc-markham1 GigabitEthernet0/0/0-1-EXT</message><notifygroup>NETRS</notifygroup></alert></send2mom>
2014-07-22 08:54:22.714 skinner.qualcomm.com: <send2mom version="4.0.7"><alert destination="ALL"><severity>critical</severity><kpiname>lanIf Bandwidth Utilization</kpiname><target>Vlan402</target><targetparent>san-transit-e</targetparent><errorcode /><date>1406042837</date><eventsourcehost>skinner</eventsourcehost><eventsource>CONCORD</eventsource><message>BW over 80% -- san-transit-e Vlan402</message><notifygroup>NETRS</notifygroup></alert></send2mom>
Following is my base search
index= public60 source="/local/mnt/send2mom_server/logs/receiver.log" NETRS eventtype=alarm_notify | rex field=_raw "severity>(?<severity>.*)</severity.*kpiname>(?<kpi>.*) Bandwidth.*</kpiname.*target>(?<interface>.*)</target.*targetparent>(?<device>.*)</target.*Bandwidth in over (?<bandwidth>.*%) --"| search kpi = wanIf OR lanIf | eval device_interface = device." - ".interface*
What I am trying to do is create a transaction based on three extracted fields device-interface, bandwidth and severity. A transaction starts with either critical or major severity and ends with normal .
I am able to device endswith and startswith but if I introduce fields=device_interface bandwidth option splunk error out with *
Error in 'transaction': The fields option is invalid when a list of fields is provided in the argument list.
Is there a way to use a list of fields to indicate transaction and use a different field to indicate start and end of transaction?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try it without using the "fields" keyword. Instead, just list the fields you want to use immediately after the transaction command. Something like this:
index= public60 source="/local/mnt/send2mom_server/logs/receiver.log" NETRS eventtype=alarm_notify
| rex field=_raw "severity>(?<severity>.*)</severity.*kpiname>(?<kpi>.*) Bandwidth.*</kpiname.*target>(?<interface>.*)</target.*targetparent>(?<device>.*)</target.*Bandwidth in over (?<bandwidth>.*%) --"
| search kpi = wanIf OR lanIf
| eval device_interface = device." - ".interface*
| transaction device_interface bandwidth option startswith="severity=critical OR severity=major" endswith="severity=normal"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try it without using the "fields" keyword. Instead, just list the fields you want to use immediately after the transaction command. Something like this:
index= public60 source="/local/mnt/send2mom_server/logs/receiver.log" NETRS eventtype=alarm_notify
| rex field=_raw "severity>(?<severity>.*)</severity.*kpiname>(?<kpi>.*) Bandwidth.*</kpiname.*target>(?<interface>.*)</target.*targetparent>(?<device>.*)</target.*Bandwidth in over (?<bandwidth>.*%) --"
| search kpi = wanIf OR lanIf
| eval device_interface = device." - ".interface*
| transaction device_interface bandwidth option startswith="severity=critical OR severity=major" endswith="severity=normal"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you this is exactly what I was missing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post your full search?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
