Splunk Search

Transaction mvindex sort order?

ndcl
Path Finder

Hey Base,

I encountered a problem with the transaction command. Here is the scenario:

I have a group of 3 correlating events. These events occur after each other by time. The maxspan is not more than 2s. I do one main search and 2 sub searches to collect all needed events and sort them by _time. Now I combine those events with the transaction statement:
“…| sort by _time | transaction maxevents=3 maxspan=2s”

Next I use “mvindex” to assign some values of the transaction to fields:

“| eval typ=mvindex(msg,0) | eval oname=mvindex(msg,2) | eval nname=mvindex(msg,1)”

And here is the problem: The Data inside the transaction is not in the same order as they were piped to the transaction by the “sort command” and so they are not static anymore and the assignment to the fields does not work correctly.

What went wrong here? 

Thanks!
Chris

Tags (1)

daishih
Path Finder

I have a similar need for something of this nature. No one knows how to sort transaction fields? Please help!

0 Karma

skalliger
SplunkTrust
SplunkTrust

Posting your search would help a lot.
I would change the above statement into something like this (no sort by😞

[...]
| sort _time
| transaction field1 field2 field3
| table _time field1 field2 field3 

Works for me.
Edit: Of course you can change "sort _time" to any other field.

0 Karma

daishih
Path Finder

The best way to describe what I am trying to achieve is to sort the results of the transaction's values by _time then by src_action but keep them in the same field generated by the transaction, I hope that makes sense?

0 Karma

daishih
Path Finder

It appears to be sorting other fields by lexical order, not my the log line it was part of 😞

0 Karma

daishih
Path Finder

I tried your method but the results are still not sorted properly no matter what fields I use for the transaction. The transaction command seems to be just dumping all the results into the fields and not sorting them in a correlated fashion.

0 Karma

daishih
Path Finder

Greetings,

I've got three source-types that I am feeding into the transaction command. The problem I am having is the fields in the tables are not sorted by source-type across the rows.

Example output:

_time, src_action, rule
2017-01-19 11:23:02, netscreen:firewall_allowed, 57
pan:traffic_allowed, netscreen
websense:cg:kv_allowed, Rule1

For each source-type the rules don't match up across the row. Netscreen should be shown next to the netscreen:firewall_allowed row not in the pan:traffic_allowed one etc...

Here is the search I used to generate this:

index=security_logs SA=X.X.X.X | eval src_action=if(isnull(action),null(),sourcetype+"_"+action) | transaction SA,DA maxspan=5s | table _time, src_action, app, category, rule, SA, SP, SZ , DA, DP, DZ

0 Karma

ndcl
Path Finder

Hi
Sorry but this doesn’t help me. Skipping the sort command will cause that some events are missing, which are in the list when I use sort by time. If I specify a field in the transaction command then all values of the field "msg" will be placed at index 0. So I have to loop though, but I want the msg field of every line of my combined search at different index position. After trying around a little bit I found this way: I sort by _raw and use mvlist=t in the transaction command. It seems that this will bring the events in the order as there where indexed and this order is static so my mvindex thing will work…

… | sort by _raw | transaction mvlist=t maxevents=3 maxspan=2s |eval typ=mvindex(msg,2) |eval oname=mvindex(msg,1) |eval nname=mvindex(msg,0) | rename oname as "old name" | rename nname as "new name" | search typ="Dir*" | table "old name","new name"
Thanks

stevedefazio
Explorer

mvlist=t, awesome. This is exactly what I needed.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

first of all, it should be unnecessary to sort by _time. transaction does expect events in reverse time order, then arranges them in forward time order within the transaction.

second, you need to specify the fields you want in the mvlist parameter to the transaction command. Otherwise, they will be deduplicated and sorted lexicographically. If you have null values, you should also specify the nullstr parameter to set a placeholder value.

bmacias84
Champion

can you post a scrumbed sample of your raw and outputs?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...