Splunk Search
Highlighted

combine table results

Builder

I'm sorry, I am not even sure how to ask this question or whether the subject line really explains what I am after.

I am looking at IronPort logs and have to nest a search in order to get all the information around an event. The results give me MID and ICID repeating and then mailto and mailfrom will show up once then at the end I have a rex to extract the IPs.

See the picture - what I am after is having all the values for each event on one line.Picture

Let me know if this makes sense.

Thanks so much!

Dave

Tags (1)
0 Karma
Highlighted

Re: combine table results

Splunk Employee
Splunk Employee

@CCSFDave I think you're probably looking for the dedup command

| dedup icid mid

But maybe you're looking for the transaction command.

| transaction icid
| table _time, mid, icid, mailto, mailfrom, address

Note transaction has got some seriously shiny options here, e.g.:

| transaction icid startswith=mailto=* endswith=address=*
| table _time, mid, icid, mailto, mailfrom, address

or

you could avoid using the transaction command because its hella slow, with stats, a la:

| stats values(mid) values(mailto) values(mailfrom) values(address) by icid
0 Karma
Highlighted

Re: combine table results

SplunkTrust
SplunkTrust

I know, because I was to some level involved in the conversations around its creation, that the searchtxn command was developed in large part to specifically address this exact use case - of confusing transitive relationships between icid, dcid, mid specifically in ironport logs. That is to say no one id is the crux to stitching together the desired end result - instead it's a confusing story of icids and dcids and mids.

It has come up multiple multiple times, with folks trying to construct things with transaction and with subsearches, somewhat depending on whether you're trying to report on everything, or analyze just a slim subset of traffic.

The bad news is that I cannot recall any exact details of how you construct the searchtxn search here, nor does there seem to be that much on answers or in the docs. =/ I'm a little surprised that a dcid+mid+icid example isn't one of the official examples for the searchtxn command, complicated though it would be to document.

http://answers.splunk.com/answers/29489/using-transaction-with-one-to-many-relationships.html

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/Searchtxn

and you can see my answer long ago on a similar question --
http://answers.splunk.com/answers/76785/complex-subsearch-need-to-extract-value-of-field-and-pipe-in...

0 Karma