I encountered a problem with the transaction command. Here is the scenario:
I have a group of 3 correlating events. These events occur after each other by time. The maxspan is not more than 2s. I do one main search and 2 sub searches to collect all needed events and sort them by _time. Now I combine those events with the transaction statement:
“…| sort by _time | transaction maxevents=3 maxspan=2s”
Next I use “mvindex” to assign some values of the transaction to fields:
“| eval typ=mvindex(msg,0) | eval oname=mvindex(msg,2) | eval nname=mvindex(msg,1)”
And here is the problem: The Data inside the transaction is not in the same order as they were piped to the transaction by the “sort command” and so they are not static anymore and the assignment to the fields does not work correctly.
What went wrong here?
Posting your search would help a lot.
I would change the above statement into something like this (no sort by😞
[...] | sort _time | transaction field1 field2 field3 | table _time field1 field2 field3
Works for me.
Edit: Of course you can change "sort _time" to any other field.
The best way to describe what I am trying to achieve is to sort the results of the transaction's values by _time then by src_action but keep them in the same field generated by the transaction, I hope that makes sense?
I tried your method but the results are still not sorted properly no matter what fields I use for the transaction. The transaction command seems to be just dumping all the results into the fields and not sorting them in a correlated fashion.
I've got three source-types that I am feeding into the transaction command. The problem I am having is the fields in the tables are not sorted by source-type across the rows.
_time, src_action, rule
2017-01-19 11:23:02, netscreen:firewall_allowed, 57
For each source-type the rules don't match up across the row. Netscreen should be shown next to the netscreen:firewall_allowed row not in the pan:traffic_allowed one etc...
Here is the search I used to generate this:
index=security_logs SA=X.X.X.X | eval src_action=if(isnull(action),null(),sourcetype+"_"+action) | transaction SA,DA maxspan=5s | table _time, src_action, app, category, rule, SA, SP, SZ , DA, DP, DZ
Sorry but this doesn’t help me. Skipping the sort command will cause that some events are missing, which are in the list when I use sort by time. If I specify a field in the transaction command then all values of the field "msg" will be placed at index 0. So I have to loop though, but I want the msg field of every line of my combined search at different index position. After trying around a little bit I found this way: I sort by _raw and use mvlist=t in the transaction command. It seems that this will bring the events in the order as there where indexed and this order is static so my mvindex thing will work…
… | sort by _raw | transaction mvlist=t maxevents=3 maxspan=2s |eval typ=mvindex(msg,2) |eval oname=mvindex(msg,1) |eval nname=mvindex(msg,0) | rename oname as "old name" | rename nname as "new name" | search typ="Dir*" | table "old name","new name"
first of all, it should be unnecessary to sort by
transaction does expect events in reverse time order, then arranges them in forward time order within the transaction.
second, you need to specify the fields you want in the
mvlist parameter to the
transaction command. Otherwise, they will be deduplicated and sorted lexicographically. If you have null values, you should also specify the
nullstr parameter to set a placeholder value.