Multiple events returned in a single transaction -...

the_wolverine · ‎10-22-2010

I've got a transaction that returns 2 events. Originally these are 3 events but the transaction has combined 2 of them (I assume since they are from the same index/sourcetype.) When I output the fields (via outputcsv), I get 3 rows. Is it possible to have the output returned as a single row - as in a single transaction?

Here's an example of my search:

(index=corp OR index=mail) (sourcetype=fireeye OR sourcetype=imap) (fenotify=* OR Machine=*) 
  | transaction fenotify src_host connected=f maxspan=5m maxpause=5m 
  | fields + Date,Machine,src_ip,Subject,cef_dvendor,sname,dest_cnc_name,dest_cnc_channel_user_agent

southeringtonp · ‎10-23-2010

IIRC, the call to fields with the plus sign won't get rid of the reserved fields. I'm guessing you're also still seeing _raw, _cd, and friends in the CSV?

Try adding a call to:

| fields - _*

the_wolverine · ‎10-25-2010

I'm not seeing any unspecified fields with this search but the issue is that the fields returned show up in multiple rows because these are actually multiple events

Multiple events returned in a single transaction - possible to create a single row in a table/csv file?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Multiple events returned in a single transaction - possible to create a single row in a table/csv file?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem