Re: Issue in transaction command

ramprakash · ‎10-22-2020

Hi Team,

I have few connections regarding transaction command. I have a series of events. One of the events are mentioned below.

1st event-RAUPPT_PT280916DC0101...sm_mr=PT280916DC0101

2nd event- LLAPTU_PT280916DC0101

Questions-

1. Here I want to use transaction command based on PT280916DC010 pattern. Can someone please provide me regex to extract this. PT* will be fixed for every event.

2. As PT280916DC0101 is used in multiple times on 1st event. Will it create any problems ?

to4kawa · ‎10-22-2020

Is it necessary? if you don't extract it, transaction can be done.

ramprakash · ‎10-22-2020

@to4kawa ..Yes actually I want to perform some other operations on id once it is extracted runtime.

How can we extract it at run time ?

ramprakash · ‎10-22-2020

@to4kawa I am able to extract the field id with rex field= _raw "..."

But when I am running transaction command on id..there is no statistics coming except events

to4kawa · ‎10-22-2020

https://docs.splunk.com/Documentation/Splunk/8.0.6/SearchReference/Transaction

transaction makes only duration and eventcount.

ramprakash · ‎10-22-2020

@to4kawa ...strangely it is not producing statistics but when I am using table =* at the end I could see the results.

to4kawa · ‎10-22-2020

1:
| rex "_(?<id>PT\d+[A-Z]{2}\d{4})"
2: no

sample:

index=_internal | head 1 | fields _time _raw | eval _raw="RAUPPT_PT280916DC0101...sm_mr=PT280916DC0101"
| appendpipe [ eval _raw="LLAPTU_PT280916DC0101"]
| rex "_(?<id>PT\d+[A-Z]{2}\d{4})"

ramprakash · ‎10-22-2020

@to4kawa I am unable to extract field PT280916DC0101 with | rex "_(?<id>PT\d+[A-Z]{2}\d{4})"

Issue in transaction command

field extraction

regex

rex

transaction

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms