Transactions grouped based on Field value and star...

Dark_Ichigo · ‎03-15-2012

Using the transaction command, I want to group a number of events to obviously make up a transaction but each contains the same field value for example, Field=334334 all events with this field number should be grouped into one trnasaction but with 2 other startswith and endswith events added to it, how can this be done?

Drainy · ‎03-16-2012

I think it sounds like you want to transaction a set of events based on startswith and endswith, and also run a separate transaction based on a Field value and then append them like this;

searchquery | transaction startswith=blah endswith=bleh | join Field [searchquery | transaction Field]

I am making a few assumptions as said above, also I am assuming that they might be different datasources as otherwise you may end up with duplicate results (that you could filter with a | dedup)

kristian_kolb · ‎03-16-2012

Could you provide a sample of the log? I'd guess from the fact that you are asking that events from these transactions are can overlap each other, i.e;

Start A
Event A
Start B
Event A
Event B
Event A
End A
Event B
End B

However, the field 334334 is not present in the start/end events, right?

/k

Transactions grouped based on Field value and startswith endswith functions

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation