Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: problem with transaction and inputlookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think i am stuck on this certain for some reason that my head isn't working right when thinking about this problem
i have a bunch of web logs that i need to sort out with a certain field (lets say XID) that is only inserted in 1 or 2 lines out of the xxx lines in a complete web transaction
this web transaction can be defined with an SID for our transaction command
however, i need to find all the transactions that includes n numbers of XID that i have created in a list of XID lookup table
my original search
sourcetype="web_log" [inputlookup xid_lookup.csv | fields XID] | transaction SID
the problem of this search is that it will only given the result of the lines that has the XID in my lookup table
but what i really want to do is to list out all the lines in transaction by the SID that includes XID in my lookup table only
is it possible to do so?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just move the subsearch filter so that it is used after the transactions are created.
sourcetype="web_log" | transaction SID | search [| inputlookup xid_lookup.csv | fields XID]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just move the subsearch filter so that it is used after the transactions are created.
sourcetype="web_log" | transaction SID | search [| inputlookup xid_lookup.csv | fields XID]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ayn thanks alot
i think i got where i had it worng in the first place
your | search [|inputlookup xxx] saved my trouble
what i really need...might be this to complete what we are looking for
sourcetype ="web_log" | transaction SID XID | search [|inputlookup xid_lookup.csv | fields XID]
by this i will be able to filter out the different transactions of SIDs that are included with the particular XID in my table
which will also run faster when i add the maxspan for the transaction
Unlock Database Monitoring with Splunk Observability Cloud
Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All
[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk
