Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why does adding a table command after transaction result in no results found?

landen99
Motivator
‎09-04-2018 07:23 AM 
|  inputlookup id_test.csv 
|  reverse
|  eval _time=now()| transaction Col_A startswith=(Col_C=yes)

returns results:
alt text

With table and even fields afterward, there are no results:
alt text

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

niketn
Legend
‎09-04-2018 08:08 AM

@landen99, from the example in your question, does not see like transaction is the correct approach. You should be better off with stats.

  1. count as eventcount in stats is equivalent of auto generated eventcount in transaction
  2. first(Col_C) as startsWith in stats is equivalent of startswith in transaction
  3. by Col_A in stats is equivalent of transaction Col_A

Please try the following query based on stats:

| inputlookup id_test.csv
| stats count as eventCount first(Col_C) as startsWith list(Col_B) as Col_B list(Col_C) as Col_C by Col_A
| search startsWith="yes"

PS:
1. Since you do not need duration I did not compute the same but,
min(_time) as _time and max(_time) as LatestTime in stats followed by | eval duration=LatestTime-_time in stats will be equivalent to auto-generated duration field in transaction.
2. Transaction will give you unique values of all correlated events with multiple value. Since they are unique they will be sorted. So,
So, values(Col_B) as Col_B and values(Col_C) as Col_C will be equivalent to Col_B and Col_C or correlated events in transaction with unique values sorted in Alphabetical order.
3. I have used list() instead of values() for stats to show one to one mapping of correlated multi-valued fields. As list shows all values hence it keeps the original sort of events as they occur. However, limitation is that there list retains first 100 values(including duplicate). Which means if more than 100 events are correlated you will loose values using list.

Refer to Splunk documentation for transaction and stats command and also check out Event Grouping And Correlation Splunk Documentation to decide between various correlation commands depending on your use case.

Following is run anywhere search based on sample data provided in the screenshot:

| makeresults
| eval data="Col_A=\"ID_A\",Col_B=\"log 1\",Col_C=\"yes\";Col_A=\"ID_A\",Col_B=\"log 2\",Col_C=\"no\";Col_A=\"ID_A\",Col_B=\"log 3\",Col_C=\"yes\";Col_A=\"ID_C\",Col_B=\"log 5\",Col_C=\"yes\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| table Col_A, Col_B, Col_C
| stats count as eventCount first(Col_C) as startsWith list(Col_B) as Col_B list(Col_C) as Col_C by Col_A
| search startsWith="yes"
| table Col* eventCount
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

landen99
Motivator
‎09-04-2018 09:31 AM

This approach does not appear to be able to handle when the first event is not "yes":

| makeresults
| eval data="Col_A=\"ID_A\",Col_B=\"log 0\",Col_C=\"no\";Col_A=\"ID_A\",Col_B=\"log 1\",Col_C=\"yes\";Col_A=\"ID_A\",Col_B=\"log 2\",Col_C=\"no\";Col_A=\"ID_A\",Col_B=\"log 3\",Col_C=\"yes\";Col_A=\"ID_C\",Col_B=\"log 5\",Col_C=\"yes\";"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| table Col_A, Col_B, Col_C
| stats count as eventCount first(Col_C) as startsWith list(Col_B) as Col_B list(Col_C) as Col_C by Col_A
| search startsWith="yes"
| table Col* eventCount

I added a log 0 event to the data and ID_A disappeared:
alt text

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...