Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get transaction results in table with "transacted" items in separate rows?

splunk_thunk
Explorer
‎05-10-2022 08:04 AM

Hello Experts,

I have a transaction query that I am displaying in a table. I am able to get results in a table, however, the results tied in a single transaction appear as single row in the table. I would like to have them displayed in separate rows, as if they are individual search results.

Here's an example:

Log Data:

  Transaction Id=1, step=1, data_x=dataX1, data_y=dataY1

  Transaction Id=1, step=2, data_x=dataX2, data_y=dataY2

How results look like

Transaction Id data_x data_y

1

1

dataX1

dataX2

dataY1

dataY2

2

2

 ... ...

 

Need it to look like

Transaction Id data_x data_y
1 dataX1 dataY1
1 dataX2 dataY2
2 ... ...
2 ... ...

 

Any help appreciated.

Thanks!

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

splunk_thunk
Explorer
‎05-11-2022 11:30 AM

Thanks @ITWhisperer . Trying it out in prod before I mark resolved.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-10-2022 08:29 AM

Please share the SPL that produces the current results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

splunk_thunk
Explorer
‎05-10-2022 11:01 AM

@richgalloway 

| makeresults count=4
| streamstats count
| eval transactionId = case(count=1 OR count=2, 1, count=3 OR count=4, 2) | eval step = case(transactionId=1 AND count<=2,count, transactionId=2,count-2) | eval data_x="dataX".step | eval data_y="dataY".step | eval val=case(step=1,step,step>1,"null. So how to print value_1 here as well?") | transaction transactionId | table transactionId, step, val, data_x, data_y | sort transactionId

 

Please try the above.

I have another question (you will notice it in search results from above query). For the same transaction, how can I print the value of a field from step=1 of the transaction into other steps in the result, when that field is not available in the other search results within same transaction.

Thanks much!

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2022 11:40 AM

I assume you used transaction to gather the events together so you could try using stats and list()

The main thing you need to do is zip all the fields together, mvexpand, then "unzip" them. This does rely on there being values in each of the fields, although that would be true for transaction as well

| makeresults count=4
| streamstats count
| eval transactionId = case(count=1 OR count=2, 1, count=3 OR count=4, 2) | eval step = case(transactionId=1 AND count<=2,count, transactionId=2,count-2) | eval data_x="dataX".step | eval data_y="dataY".step | eval val=case(step=1,step,step>1,"null. So how to print value_1 here as well?")
| stats list(data_*) as data_* list(step) as step list(val) as val by transactionId
| eval data=mvzip(data_x,mvzip(data_y,val,":"),":")
| mvexpand data
| eval data_x=mvindex(split(data,":"),0)
| eval data_y=mvindex(split(data,":"),1)
| eval val=mvindex(split(data,":"),2)
| table transactionId data_x data_y val
Reply
Solved! Jump to solution

splunk_thunk
Explorer
‎05-10-2022 12:12 PM

Thanks @ITWhisperer . That solves one problem. 

Any suggestions to copy value from step-1 of the transaction into step-2 of the same transaction when it is missing in step-2?

I have added  this table to a dashboard that has filter on val from my example. When val field is not available in step-2 of the same transaction, the filter condition removes that result from the table, which is not desired. 

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-10-2022 03:06 PM 
| makeresults count=4
| streamstats count
| eval transactionId = case(count=1 OR count=2, 1, count=3 OR count=4, 2) | eval step = case(transactionId=1 AND count<=2,count, transactionId=2,count-2) | eval data_x="dataX".step | eval data_y="dataY".step | eval val=case(step=1,step,step>1,null())
| streamstats latest(val) as val by transactionId
| stats list(data_*) as data_* list(step) as step list(val) as val by transactionId
| eval data=mvzip(data_x,mvzip(data_y,val,":"),":")
| mvexpand data
| eval data_x=mvindex(split(data,":"),0)
| eval data_y=mvindex(split(data,":"),1)
| eval val=mvindex(split(data,":"),2)
| table transactionId data_x data_y val
Reply
Solved! Jump to solution
Solution

splunk_thunk
Explorer
‎05-11-2022 11:30 AM

Thanks @ITWhisperer . Trying it out in prod before I mark resolved.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...