Splunk Search

Table time field using transaction

adalbor
Builder

Hey all,

I am working on a dashboard to do a basic email search through Proofpoint logs and am using the transaction command to stitch together the events with the same message_session_id.

The query currently looks like this: index=proofpoint | transaction message_session_id | search from=$from$ to=$to$ rule=$rule$ subject=$subject$ | table from to subject file_name rule

My question is how would I table the time of the first event as a time column?

If I just run: index=proofpoint | transaction message_session_id it appears that it is just grabbing that first events timestamp and using that as the time.

Thanks!
Andrew

0 Karma

bhavikbhalodia
Path Finder

Is it possible to share some sample logs?

0 Karma

raj_mpl
Path Finder

The time of the first event in the transaction is assigned to _time for the entire transaction. The transaction command automatically assigns a duration field to each transaction. You can eval the end time to be _time + duration.
... your search and transaction | eval First_Event_Time=_time|Table ........

0 Karma

adalbor
Builder

I understand on a large data set it would be slow but on the time ranges I am using it is actually pretty quick.

I am using transaction as Proofpoint creates multiple events for a single email being processed so you could end up with 10 events relating to the processing of a single email.

If I run the search operators before my transaction command it doesn't return any data when testing with * searches hence why I placed my search later on.

0 Karma

adalbor
Builder

Tried tabling with _time but that didn't work either. It exhibited odd behavior and when I did a 15 min search it returned right results. If I did a 60 min search for some reason it wouldn't return the most recent few mins of results but all the results after around 10 mins and then some

0 Karma

Anantha123
Communicator

try with min(_time) instead of earliest(_time)

0 Karma

adalbor
Builder

In the table command? Or for the time picker?
This is what I have right now.

Proofpoint Email Search
Search by sender, recipient, subject or rule name.

    <input type="time" searchWhenChanged="true">
        <label>Select a time:</label>
        <default>Last 24 hours</default>
    </input>
<input type="text" token="from" searchWhenChanged="true">
  <label>Sender:</label>
  <default>*</default>
</input>
<input type="text" token="to" searchWhenChanged="true">
  <label>Recipient:</label>
  <default>*</default>
</input>
<input type="text" token="subject" searchWhenChanged="true">
  <label>Subject:</label>
  <default>*</default>
</input>
<input type="text" token="rule" searchWhenChanged="true">
  <label>Rule:</label>
  <default>*</default>
</input>


<panel>
  <table>
    <title>Emails</title>
    <search>
      <query>index=proofpoint | transaction message_session_id  | search from=$from$ to=$to$ rule=$rule$ subject=$subject$ | table _time from to subject file_name rule</query>
      <earliest>$earliest$</earliest>
      <latest>$latest$</latest>
    </search>
    <option name="count">25</option>
    <option name="refresh.display">progressbar</option>
    <option name="rowNumbers">true</option>
  </table>
</panel>
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi adalbor,
I'm sure that your search is very very slow!
Transaction command is a very slow command; then you use search parameters not in the beginning of your search but after transactrion, this means that transction must elaborate more events and your search is more slower!
why don't you think to use a different approach?

index=proofpoint from=$from$ to=$to$ rule=$rule$ subject=$subject$
| stars earliest(_time) AS  earliest_time values(from) AS from values(subject) AS subject values(file_name) AS file_name values(rule) AS rule BY message_session_id 
| table earliest_time message_session_id from to subject file_name rule

Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi adalbor,
About transaction, it's a splunk command so you can use it, but I suggest to start to think different because in the next you'll probably have more data to correlate!

About the search problems, check one by one the search filters to understand which is the one (or more) that doesn't run, mabe there's one of them that must use also jolly chars (e.g. subject) at the beginning or at the end or both.
You can do this taking the main search and adding one by one the filters watching results and finding the one with problems;
then when you'll be sure about your search, you can insert transaction (or stats 😉 ) and check if you have the results you're waiting for.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...