Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Transactions using different identifying fields

himynamesdave
Contributor
‎02-11-2015 02:37 AM

Attached is some data that you should be able to use to reproduce what I am trying to achieve.

Events.csv – extract of raw_field and sourcetype
Field extractions.txt – extract of field extractions from props.conf

I'm trying to to follow the flow of transactions using Splunk.

Transactions use different identifiers as they progress through which are: ORDER_NUMBER, CAR_PDR, CAR_PCR, PFM_PDR, PFM_PCR

I an using joins to make sense of the results:

chain=* | join PFM_PCR type=outer [search PFM_PCR=* PFM_PDR=] | join CAR_PCR type=outer [search CAR_PCR= CAR_PDR=] | join PFM_PDR type=outer [search ORDER_NUMBER= PFM_PDR=] | join CAR_PDR type=outer [search ORDER_NUMBER= CAR_PDR=*]| transaction ORDER_NUMBER

I thought I didn’t need the joins and could do the following instead:

chain=* | transaction ORDER_NUMBER CAR_PDR CAR_PCR PFM_PDR PFM_PCR

but this had the effect of creating transactions that had all the keys as the tuple for the transaction ID. So we got a transactions for (order1,car_pdr1,…), (order1,car_pdr2,…) etc

is there a better way of doing the transaction on ORDER_NUMBER that avoids all those messy joins?

example.zip
0 Karma
Reply

jbjerke_splunk
Splunk Employee
Splunk Employee
‎02-12-2015 01:46 AM

Hi david

While not exactly what you are asking for, you might be able to get around the problem by using the stats command and list() by ORDER_NUMBER

| stats count as eventcount list(_raw) as events,list(PFM_PCR) as PFM_PCR,list(CAR_PCR) as CAR_PCR,list(PFM_PDR) as PFM_PDR,list(CAR_PDR) as CAR_PDR, range(_time) as duration by ORDER_NUMBER

After this command you can apply some conditional searching to narrow down the results to fit your outer join "criterias"

j

0 Karma
Reply

emiller42
Motivator
‎02-11-2015 09:35 AM

So transaction should be working exactly as you're expecting here. Consider:

event=1 field1=foo
event=2 field1=foo
event=3 field1=foo field2=bar
event=4 field2=bar
event=5 field2=bar

If you run |transaction field1 field2 you'll actually get a single event based containing 1 through 5. This is because it's looking for transitive relationships, and as long as there is at least one event where fields overlap, it'll consider them joined.

However, that ONLY works if you have some overlap connecting events.

Your sample data doesn't seem to include everything needed to test this. For example, there are no events that meet the EXTRACT-chain,PFM_PDR,File_name, EXTRACT-chain (PcR finished), EXTRACT-PFM_PcR,PFM_PcR_type, EXTRACT-PFM_PDR,PFM_PcR,chain,Product_name extractions from the PSM_FILE sourcetype.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...