Re: how to use transaction to Group multiple event...

qiuxiaoping · ‎08-01-2020

hello , i have many logs like:

"_time1 user=A eventid =45"

"_time2 user=A eventid=46"

"_time3 user=A eventid=48"

"_time4 user=B eventid=45"

"_time5 user=A eventid=46"

i want to transaction new event like:

"_time1 user=A eventid=45

_time2 user=A eventid=46

_time3 user=A eventid=48"

to4kawa · ‎08-01-2020

what is the conditions?

qiuxiaoping · ‎08-05-2020

hello

conditions are:

if user=A, and The eventid values of the three events are 45, 46 and 48 in sequence，then group this three event。

to4kawa · ‎08-05-2020

index=_internal 
| head 5 
| fields _time _raw 
| reverse 
| streamstats count 
| eval _raw="user=".if(count=4,"B","A")." eventid=".mvindex(split("45.46.48.45.46","."),count - 1)
| fields - count
| kv 
| rename COMMENT as "this is sample" 
| transaction user maxevents=3

see the command reference.

qiuxiaoping · ‎08-05-2020

Thankyou for your help. i try your sample case . but it does not meet my request. In my request, 45, 46, and 48 must appear strictly in this order . I have added some content based on yours. pls help me .

qiuxiaoping · ‎08-01-2020

hello

conditions are:

if user=A, and The eventid values of the three events are 45, 46 and 48 in sequence，then group this three event。

how to use transaction to Group multiple events with field values in a specific order

transaction

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

how to use transaction to Group multiple events with field values in a specific order

transaction

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR