Splunk Search

Split transaction by new line

thomasreggi
New Member

I have a query like this:

213123123-231231230342 | transaction startswith="user login process start" endswith="user login process end"

Where it's returning the login flow for a given user. Similar to the out but below. How can I break all of the new lines in the results from the transaction into their own events?

alt text

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm not sure there's a way.
If you want separate events, why did you use transaction? It puts events together.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...