Splunk Search

Transaction - Related Events

New Member

I've been working for a while at extracting fields from joined events. At the moment I have (a simplified version):

2012-11-14 04:23:58.7730 (bzdate=20121113) txnid=1234 amount=$31.25 method = ABC

index=XYZ method = ABC | fields bzdate txnid amount

However before this I have:

012-11-14 04:23:58.4755 (bzdate=20121113) txnid=1234 XML: <?xml version="1.0" encoding="UTF-8"?>


31.25
true

I think I need to use xmlkv as well as the transaction command to extract these. But I'm unsure how to "link" the 2 transactions.

I tried something like:

index=XYZ method = ABC | transaction txnid | xmlkv | fields bzdate txnid amount amountAuthorised

But no avail thus far. Unfortunately I can't be sure exactly how far apart the 2 events will be (they won't be a large amount apart) and there will be a lot of "noise" around these entries.

Thanks for any assistance

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Your second search filters by method=ABC - however, your XML event does not appear to contain such a field. As a result your transaction command only gets to see half the story.

View solution in original post

0 Karma

Legend

Just rearrange your search a bit. First create a transaction based on the txnid, THEN search for transactions that have method=ABC.

index=XYZ | transaction txnid | xmlkv | search method=ABC | fields bzdate txnid amount amountAuthorised

EDIT: Or, because transaction is kind of a resource intensive command, you could use a subsearch that filters out all txnid's that have method=ABC and THEN call transaction.

* [search index=XYZ method=ABC | fields index txnid] | transaction txnid | xmlkv | fields bzdate txnid amount amountAuthorised
0 Karma

Legend

No, that sounds like you didn't enter the search correctly. You need to start off with specifying the "search" command in subsearches. So, [index=XYZ ...] will not work but [search index=XYZ ...] will.

0 Karma

New Member

I think both will work, but you're right, the 1st method is killing me on speed as Transaction is slowing it down so much.

The 2nd one looks interesting but am seeing

"Search operation 'index' is unknown. You might not have permission to run this operation."

Am guessing I may need to talk to our Splunk admins to see what needs to be enabled.

0 Karma

SplunkTrust
SplunkTrust

Your second search filters by method=ABC - however, your XML event does not appear to contain such a field. As a result your transaction command only gets to see half the story.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

You could apply the method filter after the transaction command. Whether this yields the result you have in mind depends on your data. Something like this:

index=foo | transaction bar | search method=baz | ...
0 Karma

New Member

Thank you for this. That makes sense. Is there a way, then, to define that I want to search for that method=ABC but also connect the 2 events based on the matching txnid?

0 Karma