- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Transaction command causing zero results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have events that come in on a webform save action that logs the value pairs of all data elements. They look something like this.
06/21/2012 06:26:18 AM
LogName=Application
SourceName=WebAsset
EventCode=10001
EventType=4
Type=Information
ComputerName=dev-web
Category=0
CategoryString=none
RecordNumber=90606
Message=Message=Save
@objId=641
@user=Admin1
@rqstrName=James Doe
@alt1RqstrName=Jane Doe
objId is the key value for the records.
I am trying to display changes per objId over time, but only if there are changes.
sourcetype="WinEventLog:Application" "SourceName=WebAsset" | stats count as events by a_objId | eval include = if(events > 1,1,0) | search include=1
This query works fine and returns all expected results and all fields are still available.
When I add transaction a_objId to the end, it returns zero results.
sourcetype="WinEventLog:Application" "SourceName=WebAsset" | stats count as events by a_objId | eval include = if(events > 1,1,0) | search include=1| transaction a_objId
Running this search shows multiple raw events for the objId still in the results.
sourcetype="WinEventLog:Application" "SourceName=WebAsset" a_objId=<value> | stats count as events by a_objId | eval include = if(events > 1,1,0) | search include=1
This search returns the desired results, just not filtered for for objIds with multiple events.
sourcetype="WinEventLog:Application" "SourceName=WebAsset" | transaction a_objId
Any ideas on what I am doing wrong here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you're going to have trouble using transaction after a summarizing command like stats. Can you use the eventcount field of transaction to do what you want?
sourcetype="WinEventLog:Application" "SourceName=WebAsset" | transaction a_objId | where eventcount > 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you're going to have trouble using transaction after a summarizing command like stats. Can you use the eventcount field of transaction to do what you want?
sourcetype="WinEventLog:Application" "SourceName=WebAsset" | transaction a_objId | where eventcount > 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You sir, have solved my dilemma. Thank you.
Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...
Splunk Federated Analytics for Amazon Security Lake
Splunk With AppDynamics - Meet the New IT (And Engineering) Couple
