I have a pretty complex search where I'm trying to get the DHCP and ACS authentication logs correlated by MAC address for all workstations where a particular user logged into the wireless network.
index=main (host=dhcpserver)
| extract mac
| search
[ search host=csacs* index=main CSCOacs_Passed_Authentications
[ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username*
| fields trans_id ]
| transaction maxpause=5s trans_id
| lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac
| dedup mac
| fields mac ]
| rex field=_raw "DHCPACK on (?<ip_assigned>[0-9\.]+) to [^\(]+\((?<hostname>[^\)]+)\)"
| fields _time host hostname ip_assigned mac
| append
[ search host=csacs* index=main CSCOacs_Passed_Authentications
[ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username*
| fields trans_id ]
| transaction maxpause=5s trans_id
| lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac
| dedup mac
| fields _time host mac user ]
| transaction maxspan=20s mac
Everything is working okay except for the final transaction to join the transaction between the two systems. I verified the relevant events have the same MAC address and format (lowercase aa:aa:aa:aa:aa:aa) and are well within the maxspan time. Does transaction not work across appended searches?
I think this search can be simplified:
index=main (host=dhcpserver)
| extract mac
| search
[ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* trans_id=*
| dedup input
| lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac
| dedup mac
| fields mac ]
| rex field=_raw "DHCPACK on (?<ip_assigned>[0-9\.]+) to [^\(]+\((?<hostname>[^\)]+)\)"
| fields _time host hostname ip_assigned mac
| append
[ search host=csacs* index=main CSCOacs_Passed_Authentications user=*username* trans_id=*
| transaction maxpause=5s trans_id
| lookup normalizemac input AS Calling_Station_ID OUTPUTNEW mac
| dedup mac
| fields _time host mac user ]
| transaction maxspan=20s mac
But I think this is the answer to your question: transaction
"Given events as input, this command finds transactions based on events"
You are not passing events to the final transaction command: you are passing summarized search results.
Is there really a difference between summarized search results and events? My impression is that append takes a result and just adds more events to it.
Hi Jeff. Did you get the answer for your question? I am having the same problem with append + transaction