Splunk Search

annotated raw field in transactions

Ledion_Bitincka
Splunk Employee
Splunk Employee

Dan Goldburt asks:

I'm consistently getting the following request from customers: "can I see where each event came from?". If they have this 150+ line transaction and want to scan through it, it helps to see the host, sourcetype, etc... next to each component event. (for a deep dive, I attached an email where I was working on this for another customer and couldn't come up with a satisfactory answer). Has anyone else heard this complaint?

Tags (1)

Ledion_Bitincka
Splunk Employee
Splunk Employee

A fairly crude way of seeing the source/sourcetype/host next to each individual event is to concat the value of those fields into _raw before doing the transaction, e.g.

… | eval _raw = source . “;” . sourcetype . “;” . host . “;” . _raw | transaction …

  • SteveZ
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...