Splunk Search

Is it possible to compare field values in transaction?

broman
Explorer

Is there any way to compare fields in transaction to find all transactions where some fields are the same or different in all events in transaction?
My transaction search:

index=ourindex sourcetype=aem_error | rex field=_raw "(\s+[^\s]+){3} \[(?<ThreadId>\S+)\]" | transaction maxpause=4m keepevicted=true ThreadId host
0 Karma

niketn
Legend

You can use search command to search for specific value present on absent in the transaction field.

  1. To see if string "foo" is present in ThreadId add | search ThreadId="foo"

    index=ourindex sourcetype=aem_error | rex field=_raw "(\s+[^\s]+){3} [(?\S+)]" | transaction maxpause=4m keepevicted=true ThreadId host | search ThreadId="foo"

  2. To see if string "bar" is missing in ThreadId add | search ThreadId!="bar"

    index=ourindex sourcetype=aem_error | rex field=_raw "(\s+[^\s]+){3} [(?\S+)]" | transaction maxpause=4m keepevicted=true ThreadId host | search ThreadId!="bar"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

broman
Explorer

I downvoted this post because i don't try to search transaction with specific thread id but transaction where specified filed inside it has different values

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@broman,

Downvoting users should be reserved for suggestions that could be potentially harmful for someone's Splunk environment. The downvote form is supposed to be used to help educate the community to learn and improve based on context provided, which your reasoning does not.

Before engaging further in voting people's posts, read how voting etiquette works in Splunk Answers:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

0 Karma

niketn
Legend

Can you give example from some sample data to explain? Like sample ThreadID and fieldX? If you have to group fields together and then work on the values of another field after joining, then stats might work better than transaction.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

Please give an example so that I can make any correction if required. My intent was to state the fact that search command can be used to look through multivalued fields and equal to (=) and not equal to (!=) operators can be used for comparison with expected results.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

lguinn2
Legend

You could do this

index=ourindex sourcetype=aem_error 
| rex field=_raw "(\s+[^\s]+){3} \[(?<ThreadId>\S+)\]" 
| transaction maxpause=4m keepevicted=true ThreadId host
| eval firstX=mvindex(X,0)
| where X!=firstX

This will keep only transactions where the values for field X are not all the same. To only keep transactions where the values of field X are all the same, replace the where command with this one:

| where NOT X!=firstX
0 Karma

broman
Explorer

It looks promising but doesn't work 😞 I have firstX in fields list but when I add last line it doesn't return anything. But Inspired by mvindex I found mvcount in documentation and write such query

index=mysource  sourcetype=aem_error | rex field=_raw "(\s+[^\s]+){3} \[(?<ThreadId>\S+)\]" | rex field=_raw "(\s+[^\s]+){2} \[(?<filedX>\S+)" | transaction maxpause=4m keepevicted=true ThreadId host | eval xCount=mvcount(filedX) | where xCount!=1
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...