Splunk Search

transaction command: How to group events ONLY on specific conditions?

Super Champion

We have got a system, whereby an event-pairing occurs only for specific type of messageId

event=1 messageId=100 requestor=human1 
event=2 messageId=200 requestor=human2 
event=3 messageId=201 requestor=human2
event=4 messageId=300 requestor=human3
event=5 messageId=300 requestor=human4
event=6 messageId=300 requestor=human4

In above example, we need to group the events ONLY if the messageId is 20* (ie in 200's)and based on requestor.
Currently the simple query is:

... | transaction requestor 

Looking for output something like.. So event=2 and event=3 will be a single transaction

event=1 messageId=100 requestor=human1 
event=2 messageId=200 requestor=human2  event=3 messageId=201 requestor=human2
event=4 messageId=300 requestor=human3
event=5 messageId=300 requestor=human4
event=6 messageId=300 requestor=human4

I'm looking for something

... | transaction requestor where messageId=20*

PS: I don't want to group for messageId=300 even if its same requestor (event 5 & 6)

Ideally looking for transaction to be done only on specific events without needing multiple queries on raw data
Any ideas/tricks to do this?

0 Karma

SplunkTrust
SplunkTrust

maybe filter before the transaction?
index = <your_index> sourcetype = <your_sourcetype> messageId = 20* ... | transaction ....
what is your desired outcome of the search

0 Karma

Super Champion

hi mate, i have put the desired outcome of result in the Question itself..
In your logic it gives ONLY events with 20* for transaction command. So only 20* will be output, but will remove rest of messages

0 Karma

SplunkTrust
SplunkTrust

i think i understand now.
the search below is not perfect, as it relays on random function and maybe occasionally you will hit the random number generated twice with same requestor but i find it very unlikely. you can also increase the number on that function as high as you see fit

   | makeresults count = 1 
    | eval data = "event=1,messageId=100,requestor=human1;
     event=2,messageId=200,requestor=human2;
     event=3,messageId=201,requestor=human2;
     event=4,messageId=300,requestor=human3;
     event=5,messageId=300,requestor=human4;
     event=6,messageId=300,requestor=human4"
     | makemv delim=";" data 
     | mvexpand data
     | eval _time = now() - random()%100
     | eval _raw = data
     | extract  pairdelim=",", kvdelim="="
     | table _time _raw event messageId requestor
     | rename COMMENT as "the above generates data below is the solution" 
     | eval trans_event = if(like(messageId,"20%"),"1",random()%100000000000)
     | transaction requestor trans_event

hope you like it

Super Champion

i liked the concept. I will try it in my scenario and let you know. In the meantime, i've upvoted your comment

0 Karma

Explorer

have you tried keeporphans=true, this should display all other results alongside any groupings?

0 Karma

Super Champion

I tried that, but how to ensure it groups only the 20* messages?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!