Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Issue in transaction command
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Issue in transaction command
Hi Team,
I have few connections regarding transaction command. I have a series of events. One of the events are mentioned below.
1st event-RAUPPT_PT280916DC0101...sm_mr=PT280916DC0101
2nd event- LLAPTU_PT280916DC0101
Questions-
1. Here I want to use transaction command based on PT280916DC010 pattern. Can someone please provide me regex to extract this. PT* will be fixed for every event.
2. As PT280916DC0101 is used in multiple times on 1st event. Will it create any problems ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is it necessary? if you don't extract it, transaction can be done.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa ..Yes actually I want to perform some other operations on id once it is extracted runtime.
How can we extract it at run time ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa I am able to extract the field id with rex field= _raw "..."
But when I am running transaction command on id..there is no statistics coming except events
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Transaction
transaction makes only duration and eventcount.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa ...strangely it is not producing statistics but when I am using table =* at the end I could see the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1:
| rex "_(?<id>PT\d+[A-Z]{2}\d{4})"
2: no
sample:
index=_internal | head 1 | fields _time _raw | eval _raw="RAUPPT_PT280916DC0101...sm_mr=PT280916DC0101"
| appendpipe [ eval _raw="LLAPTU_PT280916DC0101"]
| rex "_(?<id>PT\d+[A-Z]{2}\d{4})"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@to4kawa I am unable to extract field PT280916DC0101 with | rex "_(?<id>PT\d+[A-Z]{2}\d{4})"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
