Splunk Search

Transaction startswith argument with named fields ?

szabados
Communicator

How can I provide field values to the startswith argument of the transaction command? Like I would do in a search:
index=myindex fieldname=valueToSearchFor

I want to do the same with a transaction

0 Karma

woodcock
Esteemed Legend

I am not sure I am understanding what you need so this may be way off.

The map command is the only way to template Splunk commands, although it probably was not intended for this.
You can do something like this (assuming fieldname contains the string that you need to use with startswith:disappointed_face:

YourSearchThatGivesMeJustOneEventWithOneFieldWithOneValue | map search "search index=myindex | transaction startswith=\"$fieldname$\""
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...