Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

simple question on transactions

bessery
New Member
‎02-13-2013 04:55 AM

The transaction command works with a common field across logs. how can we group multiple events which might have the same types of values (for eg. sessionid) but under a differnt field name? eg. value a0001 might be sessionid for sourcetype A but might be uid for sourcetype B.. Can this be done via tags/aliases?

Tags (1)
0 Karma
Reply

BenAveling
Path Finder
‎09-17-2013 06:16 PM

You could use a tag to select all records that have a particular value in different fields, but you'd need to tag and search for all the values you're interested in, and you'd still have the question of how to group the records.

To get the desired result, probably better to use something like this:

... | eval id = if(sessionid !="",sessionid ,uid) | transaction id

or this:

... | eval id=coalesce(sessionid ,uid) | transaction id

You can't just use "rename sessionid as uid", or "eval uid=sessionid", because rename and eval would overwrite the original values of uid.

0 Karma
Reply

jeff
Contributor
‎02-13-2013 05:00 AM

Either of these would work fine...

{your search criteria} | rename some_field as normalized_field | transaction normalized_field

{your search criteria} | eval normalized_field=some_field | transaction normalized_field

The difference between the two - "some_field" will not be available as a distinct field in the first query as it is renamed. The second will create a second field while leaving the original extracted field as part of the event.

Reply

BenAveling
Path Finder
‎09-16-2013 08:58 PM

Hi Ayn, you're right, I should have been "search b". Cut & paste error in the search, but what I said it returns is correct.

As written above, it returns nothing.

Corrected to:

 search... |  rename a as b | transaction b

it returns:

 a=1

It turns out that rename and eval do not merge, they overwrite, with null if 'a' doesn't exist.

To get the desired result you need to use something like 

... | eval a_or_b = if(a!="",a,b) | transaction a_or_b

or

... | eval a_or_b=coalesce(a,b) | transaction a_or_b
0 Karma
Reply

Ayn
Legend
‎09-16-2013 02:14 AM

...but you're renaming a to b, then doing the transaction on a. Don't you want it to be b?

Reply

BenAveling
Path Finder
‎09-15-2013 11:56 PM

That doesn't seem to work for me. Transaction returns the entry with the renamed field or the eval'd field, but not the unrenamed field. It's as if the renaming has clobbered something.

i.e. given 

a=1

and 

b=1

Then

search... | rename a as b | transaction a

returns only 

a=1
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...