Splunk Search

Transaction command causing zero results

mrjester
Explorer

I have events that come in on a webform save action that logs the value pairs of all data elements. They look something like this.

06/21/2012 06:26:18 AM
LogName=Application
SourceName=WebAsset
EventCode=10001
EventType=4
Type=Information
ComputerName=dev-web
Category=0
CategoryString=none
RecordNumber=90606
Message=Message=Save
@objId=641
@user=Admin1
@rqstrName=James Doe
@alt1RqstrName=Jane Doe

objId is the key value for the records.

I am trying to display changes per objId over time, but only if there are changes.

sourcetype="WinEventLog:Application" "SourceName=WebAsset" | stats count as events by a_objId | eval include = if(events > 1,1,0) | search include=1 

This query works fine and returns all expected results and all fields are still available.

When I add transaction a_objId to the end, it returns zero results.

sourcetype="WinEventLog:Application" "SourceName=WebAsset" | stats count as events by a_objId | eval include = if(events > 1,1,0)  |  search include=1| transaction a_objId

Running this search shows multiple raw events for the objId still in the results.

sourcetype="WinEventLog:Application" "SourceName=WebAsset" a_objId=<value> | stats count as events by a_objId | eval include = if(events > 1,1,0) | search include=1

This search returns the desired results, just not filtered for for objIds with multiple events.

sourcetype="WinEventLog:Application" "SourceName=WebAsset" | transaction a_objId

Any ideas on what I am doing wrong here?

Tags (2)
1 Solution

cphair
Builder

I think you're going to have trouble using transaction after a summarizing command like stats. Can you use the eventcount field of transaction to do what you want?


sourcetype="WinEventLog:Application" "SourceName=WebAsset" | transaction a_objId | where eventcount > 1

View solution in original post

cphair
Builder

I think you're going to have trouble using transaction after a summarizing command like stats. Can you use the eventcount field of transaction to do what you want?


sourcetype="WinEventLog:Application" "SourceName=WebAsset" | transaction a_objId | where eventcount > 1

mrjester
Explorer

You sir, have solved my dilemma. Thank you.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...