Splunk Search

Is it possible to compare field values in transaction?

Explorer

Is there any way to compare fields in transaction to find all transactions where some fields are the same or different in all events in transaction?
My transaction search:

index=ourindex sourcetype=aem_error | rex field=_raw "(\s+[^\s]+){3} \[(?<ThreadId>\S+)\]" | transaction maxpause=4m keepevicted=true ThreadId host
0 Karma

SplunkTrust
SplunkTrust

You can use search command to search for specific value present on absent in the transaction field.

  1. To see if string "foo" is present in ThreadId add | search ThreadId="foo"

    index=ourindex sourcetype=aemerror | rex field=raw "(\s+[^\s]+){3} [(?\S+)]" | transaction maxpause=4m keepevicted=true ThreadId host | search ThreadId="foo"

  2. To see if string "bar" is missing in ThreadId add | search ThreadId!="bar"

    index=ourindex sourcetype=aemerror | rex field=raw "(\s+[^\s]+){3} [(?\S+)]" | transaction maxpause=4m keepevicted=true ThreadId host | search ThreadId!="bar"

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

I downvoted this post because i don't try to search transaction with specific thread id but transaction where specified filed inside it has different values

0 Karma

Splunk Employee
Splunk Employee

@broman,

Downvoting users should be reserved for suggestions that could be potentially harmful for someone's Splunk environment. The downvote form is supposed to be used to help educate the community to learn and improve based on context provided, which your reasoning does not.

Before engaging further in voting people's posts, read how voting etiquette works in Splunk Answers:
https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

0 Karma

SplunkTrust
SplunkTrust

Can you give example from some sample data to explain? Like sample ThreadID and fieldX? If you have to group fields together and then work on the values of another field after joining, then stats might work better than transaction.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Please give an example so that I can make any correction if required. My intent was to state the fact that search command can be used to look through multivalued fields and equal to (=) and not equal to (!=) operators can be used for comparison with expected results.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Legend

You could do this

index=ourindex sourcetype=aem_error 
| rex field=_raw "(\s+[^\s]+){3} \[(?<ThreadId>\S+)\]" 
| transaction maxpause=4m keepevicted=true ThreadId host
| eval firstX=mvindex(X,0)
| where X!=firstX

This will keep only transactions where the values for field X are not all the same. To only keep transactions where the values of field X are all the same, replace the where command with this one:

| where NOT X!=firstX
0 Karma

Explorer

It looks promising but doesn't work 😞 I have firstX in fields list but when I add last line it doesn't return anything. But Inspired by mvindex I found mvcount in documentation and write such query

index=mysource  sourcetype=aem_error | rex field=_raw "(\s+[^\s]+){3} \[(?<ThreadId>\S+)\]" | rex field=_raw "(\s+[^\s]+){2} \[(?<filedX>\S+)" | transaction maxpause=4m keepevicted=true ThreadId host | eval xCount=mvcount(filedX) | where xCount!=1