Multiple events returned in a single transaction -...

the_wolverine · ‎10-22-2010

I've got a transaction that returns 2 events. Originally these are 3 events but the transaction has combined 2 of them (I assume since they are from the same index/sourcetype.) When I output the fields (via outputcsv), I get 3 rows. Is it possible to have the output returned as a single row - as in a single transaction?

Here's an example of my search:

(index=corp OR index=mail) (sourcetype=fireeye OR sourcetype=imap) (fenotify=* OR Machine=*) 
  | transaction fenotify src_host connected=f maxspan=5m maxpause=5m 
  | fields + Date,Machine,src_ip,Subject,cef_dvendor,sname,dest_cnc_name,dest_cnc_channel_user_agent

southeringtonp · ‎10-23-2010

IIRC, the call to fields with the plus sign won't get rid of the reserved fields. I'm guessing you're also still seeing _raw, _cd, and friends in the CSV?

Try adding a call to:

| fields - _*

the_wolverine · ‎10-25-2010

I'm not seeing any unspecified fields with this search but the issue is that the fields returned show up in multiple rows because these are actually multiple events

Multiple events returned in a single transaction - possible to create a single row in a table/csv file?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation