Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Transactions grouped based on Field value and startswith endswith functions

Dark_Ichigo
Builder
‎03-15-2012 08:13 PM

Using the transaction command, I want to group a number of events to obviously make up a transaction but each contains the same field value for example, Field=334334 all events with this field number should be grouped into one trnasaction but with 2 other startswith and endswith events added to it, how can this be done?

0 Karma
Reply

Drainy
Champion
‎03-16-2012 05:35 AM

I think it sounds like you want to transaction a set of events based on startswith and endswith, and also run a separate transaction based on a Field value and then append them like this;

searchquery | transaction startswith=blah endswith=bleh | join Field [searchquery | transaction Field]

I am making a few assumptions as said above, also I am assuming that they might be different datasources as otherwise you may end up with duplicate results (that you could filter with a | dedup)

0 Karma
Reply

kristian_kolb
Ultra Champion
‎03-16-2012 03:05 AM

Could you provide a sample of the log? I'd guess from the fact that you are asking that events from these transactions are can overlap each other, i.e;

Start A
Event A
Start B
Event A
Event B
Event A
End A
Event B
End B

However, the field 334334 is not present in the start/end events, right?

/k

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...