Splunk Search

problem with transaction and inputlookup

cpuppet
Path Finder

i think i am stuck on this certain for some reason that my head isn't working right when thinking about this problem

i have a bunch of web logs that i need to sort out with a certain field (lets say XID) that is only inserted in 1 or 2 lines out of the xxx lines in a complete web transaction
this web transaction can be defined with an SID for our transaction command
however, i need to find all the transactions that includes n numbers of XID that i have created in a list of XID lookup table

my original search
sourcetype="web_log" [inputlookup xid_lookup.csv | fields XID] | transaction SID

the problem of this search is that it will only given the result of the lines that has the XID in my lookup table
but what i really want to do is to list out all the lines in transaction by the SID that includes XID in my lookup table only

is it possible to do so?

Tags (2)
0 Karma
1 Solution

Ayn
Legend

Just move the subsearch filter so that it is used after the transactions are created.

sourcetype="web_log" | transaction SID | search [| inputlookup xid_lookup.csv | fields XID] 

View solution in original post

Ayn
Legend

Just move the subsearch filter so that it is used after the transactions are created.

sourcetype="web_log" | transaction SID | search [| inputlookup xid_lookup.csv | fields XID] 

cpuppet
Path Finder

Ayn thanks alot

i think i got where i had it worng in the first place
your | search [|inputlookup xxx] saved my trouble

what i really need...might be this to complete what we are looking for

sourcetype ="web_log" | transaction SID XID | search [|inputlookup xid_lookup.csv | fields XID]

by this i will be able to filter out the different transactions of SIDs that are included with the particular XID in my table

which will also run faster when i add the maxspan for the transaction

0 Karma
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...