- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- append and transaction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
append and transaction
I have a pretty complex search where I'm trying to get the DHCP and ACS authentication logs correlated by MAC address for all workstations where a particular user logged into the wireless network.
index=main (host=dhcpserver)
| extract mac
| search
[ search host=csacs* index=main CSCOacs_Passed_Authentications
[ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username*
| fields trans_id ]
| transaction maxpause=5s trans_id
| lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac
| dedup mac
| fields mac ]
| rex field=_raw "DHCPACK on (?<ip_assigned>[0-9\.]+) to [^\(]+\((?<hostname>[^\)]+)\)"
| fields _time host hostname ip_assigned mac
| append
[ search host=csacs* index=main CSCOacs_Passed_Authentications
[ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username*
| fields trans_id ]
| transaction maxpause=5s trans_id
| lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac
| dedup mac
| fields _time host mac user ]
| transaction maxspan=20s mac
Everything is working okay except for the final transaction to join the transaction between the two systems. I verified the relevant events have the same MAC address and format (lowercase aa:aa:aa:aa:aa:aa) and are well within the maxspan time. Does transaction not work across appended searches?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this search can be simplified:
index=main (host=dhcpserver)
| extract mac
| search
[ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* trans_id=*
| dedup input
| lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac
| dedup mac
| fields mac ]
| rex field=_raw "DHCPACK on (?<ip_assigned>[0-9\.]+) to [^\(]+\((?<hostname>[^\)]+)\)"
| fields _time host hostname ip_assigned mac
| append
[ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* trans_id=*
| transaction maxpause=5s trans_id
| lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac
| dedup mac
| fields _time host mac user ]
| transaction maxspan=20s mac
But I think this is the answer to your question: transaction
"Given events as input, this command finds transactions based on events"
You are not passing events to the final transaction command: you are passing summarized search results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there really a difference between summarized search results and events? My impression is that append takes a result and just adds more events to it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jeff. Did you get the answer for your question? I am having the same problem with append + transaction
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
