Splunk Search

How to filter events from a transaction result.

harish_ka
Communicator

After the transaction command, I got a set of events as one event. Now I want to filter the logs from this transaction result.

Let's say my transaction result has 10 lines as Line 1 to Line 10.
Now I want only lines from line 3 to line 8.
How can I do this??
Please help... Asap..

0 Karma

woodcock
Esteemed Legend

First, get rid of transaction by manufacturing a sessoinID like this:

search... | reverse | streamstats current=t count(eval(searchmatch("start"))) AS sessionID | stats list(_raw) by sessionID

Now that you have a sessionID field for every event, you have more control and can do something like this:

search... | reverse | streamstats current=t count(eval(searchmatch("Start"))) AS sessionID | streamstats current=t count(eval(searchmatch("DEBUG - PQR" OR "DEBUG - XYZ"))) AS subsessionID by sessionID | search subsessionID="1" NOT Start | stats list(_raw) by sessionID
0 Karma

dkoops
Path Finder

Maybe use mvindex?

| eval NewField=mvindex(_raw, 3, 8)
0 Karma

dkoops
Path Finder

Seems like the _raw field isn't a multi value field after a transaction. It does however work for other fields. Maybe extract the useful info from the logs before transactioning?

0 Karma

dkoops
Path Finder

You could use regular expression to extract the relevant info from the _raw field. That might, however, be a tedious job if there are a lot of exceptions; you might have to write several ones. This should work for your example:

| rex "PQR\s(?<RelevantLogStuff>.+)\s2015.+XYZ"
0 Karma

harish_ka
Communicator

the filtering is not based on line numbers. its based on some keywords, lets say "ReStart" to "Close", need the logs which are in between these keywords..and the line numbers are not fixed too..

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The filter (from row 3 to row 😎 is fixed OR it's depend on the some value in the actual data?

0 Karma

harish_ka
Communicator

Its not fixed.. it depends on the keyword i use.. and depends on the requirement...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

See if something like this would work for you.

search... | eval RawLines=_raw|transaction startswith:"start" endswith:"end" | eval RawLines=mvfilter(NOT match(RawLines,"Start") AND NOT match(RawLines,"End"))

The field _raw though seems like an multivalued field in events tab, but its actually not, So I created another field which will hold the raw data lines and filter is applied on that field.

0 Karma

jmallorquin
Builder

An example please?

0 Karma

harish_ka
Communicator

Query:
search...|transaction startswith:"start" endswith:"end"

And i got the event as below,

2015/10/17 06:32:43,872 EDT - DEBUG - Start
2015/10/17 06:32:43,872 EDT - DEBUG - PQR
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - ABC
2015/10/17 06:32:43,872 EDT - DEBUG - XYZ
2015/10/17 06:32:43,872 EDT - DEBUG - End

now i need the only logs from DEBUG - PQR to DEBUG - XYZ

Please help...

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...