Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

combine table results

ccsfdave
Builder
‎02-11-2015 01:25 PM

I'm sorry, I am not even sure how to ask this question or whether the subject line really explains what I am after.

I am looking at IronPort logs and have to nest a search in order to get all the information around an event. The results give me MID and ICID repeating and then mailto and mailfrom will show up once then at the end I have a rex to extract the IPs.

See the picture - what I am after is having all the values for each event on one line.Picture

Let me know if this makes sense.

Thanks so much!

Dave

Tags (1)
Preview file
1 KB
0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎02-11-2015 02:10 PM

I know, because I was to some level involved in the conversations around its creation, that the searchtxn command was developed in large part to specifically address this exact use case - of confusing transitive relationships between icid, dcid, mid specifically in ironport logs. That is to say no one id is the crux to stitching together the desired end result - instead it's a confusing story of icids and dcids and mids.

It has come up multiple multiple times, with folks trying to construct things with transaction and with subsearches, somewhat depending on whether you're trying to report on everything, or analyze just a slim subset of traffic.

The bad news is that I cannot recall any exact details of how you construct the searchtxn search here, nor does there seem to be that much on answers or in the docs. =/ I'm a little surprised that a dcid+mid+icid example isn't one of the official examples for the searchtxn command, complicated though it would be to document.

http://answers.splunk.com/answers/29489/using-transaction-with-one-to-many-relationships.html

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Searchtxn

and you can see my answer long ago on a similar question --
http://answers.splunk.com/answers/76785/complex-subsearch-need-to-extract-value-of-field-and-pipe-in...

0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎02-11-2015 01:49 PM

@CCSFDave I think you're probably looking for the dedup command

| dedup icid mid

But maybe you're looking for the transaction command. 

| transaction icid
| table _time, mid, icid, mailto, mailfrom, address

Note transaction has got some seriously shiny options here, e.g.:

| transaction icid startswith=mailto=* endswith=address=*
| table _time, mid, icid, mailto, mailfrom, address

or

you could avoid using the transaction command because its hella slow, with stats, a la:

| stats values(mid) values(mailto) values(mailfrom) values(address) by icid
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...