Splunk Search

combine table results

ccsfdave
Builder

I'm sorry, I am not even sure how to ask this question or whether the subject line really explains what I am after.

I am looking at IronPort logs and have to nest a search in order to get all the information around an event. The results give me MID and ICID repeating and then mailto and mailfrom will show up once then at the end I have a rex to extract the IPs.

See the picture - what I am after is having all the values for each event on one line.Picture

Let me know if this makes sense.

Thanks so much!

Dave

Tags (1)
0 Karma

sideview
SplunkTrust
SplunkTrust

I know, because I was to some level involved in the conversations around its creation, that the searchtxn command was developed in large part to specifically address this exact use case - of confusing transitive relationships between icid, dcid, mid specifically in ironport logs. That is to say no one id is the crux to stitching together the desired end result - instead it's a confusing story of icids and dcids and mids.

It has come up multiple multiple times, with folks trying to construct things with transaction and with subsearches, somewhat depending on whether you're trying to report on everything, or analyze just a slim subset of traffic.

The bad news is that I cannot recall any exact details of how you construct the searchtxn search here, nor does there seem to be that much on answers or in the docs. =/ I'm a little surprised that a dcid+mid+icid example isn't one of the official examples for the searchtxn command, complicated though it would be to document.

http://answers.splunk.com/answers/29489/using-transaction-with-one-to-many-relationships.html

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Searchtxn

and you can see my answer long ago on a similar question --
http://answers.splunk.com/answers/76785/complex-subsearch-need-to-extract-value-of-field-and-pipe-in...

0 Karma

aljohnson_splun
Splunk Employee
Splunk Employee

@CCSFDave I think you're probably looking for the dedup command

| dedup icid mid

But maybe you're looking for the transaction command.

| transaction icid
| table _time, mid, icid, mailto, mailfrom, address

Note transaction has got some seriously shiny options here, e.g.:

| transaction icid startswith=mailto=* endswith=address=*
| table _time, mid, icid, mailto, mailfrom, address

or

you could avoid using the transaction command because its hella slow, with stats, a la:

| stats values(mid) values(mailto) values(mailfrom) values(address) by icid
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...