Splunk Search

annotated raw field in transactions

Splunk Employee
Splunk Employee

Dan Goldburt asks:

I'm consistently getting the following request from customers: "can I see where each event came from?". If they have this 150+ line transaction and want to scan through it, it helps to see the host, sourcetype, etc... next to each component event. (for a deep dive, I attached an email where I was working on this for another customer and couldn't come up with a satisfactory answer). Has anyone else heard this complaint?

Tags (1)

Splunk Employee
Splunk Employee

A fairly crude way of seeing the source/sourcetype/host next to each individual event is to concat the value of those fields into _raw before doing the transaction, e.g.

… | eval _raw = source . “;” . sourcetype . “;” . host . “;” . _raw | transaction …

  • SteveZ