Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue in transaction command

ramprakash
Explorer
‎10-22-2020 06:03 AM

Hi Team,

 

I have few connections regarding transaction command. I have a series of events. One of the events are mentioned below.

1st event-RAUPPT_PT280916DC0101...sm_mr=PT280916DC0101

2nd event- LLAPTU_PT280916DC0101

Questions-

1. Here I want to use transaction command based on PT280916DC010 pattern. Can someone please provide me regex to extract this. PT* will be fixed for every event.

2. As PT280916DC0101 is used in multiple times on 1st event. Will it create any problems ?

 

Labels (4)
Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎10-22-2020 06:51 AM

Is it necessary? if you don't extract it, transaction can be done.

0 Karma
Reply

ramprakash
Explorer
‎10-22-2020 06:59 AM

@to4kawa ..Yes actually I want to perform some other operations on id once it is extracted runtime.

How can we extract it at run time ?

0 Karma
Reply

ramprakash
Explorer
‎10-22-2020 07:20 AM

@to4kawa I am able to extract the field id with rex field= _raw "..."

 

But when I am running transaction command on id..there is no statistics coming except events

0 Karma
Reply

to4kawa
Ultra Champion
‎10-22-2020 07:26 AM

https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Transaction

transaction makes only duration and eventcount.

0 Karma
Reply

ramprakash
Explorer
‎10-22-2020 09:28 AM

@to4kawa ...strangely it is not producing statistics but when I am using table =* at the end I could see the results.

0 Karma
Reply

to4kawa
Ultra Champion
‎10-22-2020 06:25 AM

1:
| rex "_(?<id>PT\d+[A-Z]{2}\d{4})"
2: no

sample:

index=_internal | head 1 | fields _time _raw | eval _raw="RAUPPT_PT280916DC0101...sm_mr=PT280916DC0101"
| appendpipe [ eval _raw="LLAPTU_PT280916DC0101"]
| rex "_(?<id>PT\d+[A-Z]{2}\d{4})"
0 Karma
Reply

ramprakash
Explorer
‎10-22-2020 06:43 AM

@to4kawa I am unable to extract field PT280916DC0101 with | rex "_(?<id>PT\d+[A-Z]{2}\d{4})"

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...