Splunk Search

Listing on all the field values of a transaction event

macadminrohit
Contributor

I have created a transaction event based on the startswith and endswith functions. This new transaction event has clubbed all the original events into one event which has now got multiple fields with different field values.

For ex :

Event 1 , Message = A, Location = USA
Event 2, Message = B, Location = INDIA
Event 3, Message = C, Location = Mexico
Event 4, Message = D, Location = INDIA

Transaction Event:
Message = A, Location = USA
Message = B, Location = INDIA
Message = C, Location = Mexico
Message = D, Location = INDIA

Now since all the events are clubbed into one using the transaction command. How do i get all the field values of the field Location and Message. If i use | stats count values(Message),values(Location) by somefield. it is just showing me the unique values of Message and Location field. skipping the repeating ones.

I dont want to skip anything. Whats the best way out here?

Tags (1)
0 Karma

elliotproebstel
Champion

If your search is now concluding with:

| stats count values(Message),values(Location) by somefield

perhaps you should consider eliminating the transaction call earlier in the search? There are usually other ways to achieve whatever you're trying to do with transaction (often using eventstats or streamstats), and in my experience these other approaches are usually more efficient and less prone to silent failure. If you would like help changing the structure of the overall command so that you can calculate these stats at the end, you could update the post or add a comment here with more details about the SPL that you're using and what your intended goals are.

0 Karma

macadminrohit
Contributor

This is my query, I am trying to get surrounding events when an error occurred in the logs, So i wrote the below query :

index=servers sourcetype=json macaddress="*"
| rename "bdy.msg" as Msg1,"bdy.ex.Msg" as Msg2, "appName" as App, "appVersion" as AppVers
| eval AppName_Version= App + "_" + AppVers
| transaction locId hostName macaddress endswith="Unhandled Exception" maxspan=60s
| stats count as Cnt,list(AppName_Version) as AppName_Version,list(Msg1) as Msg1,list(Msg2) as Msg2 by locId hostName macaddress
| sort -Cnt

Let me know how streamstats and eventstats can be used here.

0 Karma

elliotproebstel
Champion

Ok, I'm going to riff off this post: https://answers.splunk.com/answers/310019/as-part-of-a-splunk-alert-is-it-possible-to-includ.html by @rich7177

So let's say the message "Unhandled Exception" occurs in a field called status. I think this might work:

index=servers sourcetype=json macaddress="*"
| rename "bdy.msg" as Msg1,"bdy.ex.Msg" as Msg2, "appName" as App, "appVersion" as AppVers
| eval AppName_Version= App + "_" + AppVers, exception_message=if(status="Unhandled Exception", 1, NULL)
| streamstats last(exception_message) AS exception_present BY  locId hostName macaddress time_window=60s
| where isnotnull(exception_message) OR isnotnull(exception_present)
| stats count as Cnt,list(AppName_Version) as AppName_Version,list(Msg1) as Msg1,list(Msg2) as Msg2 by locId hostName macaddress
| sort -Cnt

I'm not 100% confident in this, but I think it's on the path to a solution.

0 Karma

macadminrohit
Contributor

Although it gives me some output, but i want to understand the logic here. Would you mind explaning that?

0 Karma

micahkemp
Champion

That is the expected behavior of transaction. Your events have been combined into one event, and there are no longer duplicate values for each field.

0 Karma

macadminrohit
Contributor

If that is the case, then what would be taken as the field value . There are multiple fields with the same field name and multiple values.

0 Karma

micahkemp
Champion

The new event (which is made up of the original individual events) will have a field with multiple values. The new field values will be all of the unique values from the original event field of the same name.

So if you have the events:

name=me location=work status=working
name=me location=home status=sleeping
name=me location=work status=eating

My new event would look like:

name=me location=work,home status=working,sleeping,eating

(with comma separated values represening multi-value fields)

0 Karma

macadminrohit
Contributor

Thats where the problem is , I dont want to just find the unique values, I need all the values even if they are repeating.

name=me, location=work,home,work status=working,sleeping,eating

0 Karma

gmasca
Explorer

add mvlist

0 Karma

493669
Super Champion

Try to use list instead of values:

 | stats count list(Message), list(Location) by somefield
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...