Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: transaction command rows for large dataset
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is my code:
index=example sourcetype=wineventlog computer_name="example"
| transaction computer_name startswith="event_id=4732" endswith="event_id=4733" maxspan=15m mvraw=true mvlist=true
| table _time, user.name, computer_name, event_id, _raw
I am trying to separate each event that occurs in order to get rid of fluff content such as "A security-enabled local group membership was enumerated." appearing hundreds of times. What would be the best way to do this? mvexpand has not worked for me so far.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"A security-enabled local group membership was enumerated." sounds like represented by a unique event_id. Get rid of them in the search. If there are specific key words/phrases that cannot be represented by event_id, the best is to use search term to eliminate. Finally, if there are feature words that are too hard to construct using search terms, you can use regex to eliminate.
index=example sourcetype=wineventlog computer_name="example"
NOT event_id IN (fluff_id1, fluff_id2, fluff_id3)
NOT "fluff term1" NOT "fluff term2" NOT "fluff term3"
| where NOT match(_raw, "fluff[r]egex1|fluf[f]regex2|fluf[fr]egex3")Not sure how transaction gets into the picture, however.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you only want event_id=4732 and event_id=4733?
If so I'd look at doing something like this
index=example sourcetype=wineventlog computer_name="example" event_id IN (4732,4733)
| eval is{event_id}=1
| stats sum(is4732) as count4732, sum(is4733) as count4733, values(user.name), earliest(_time) as startTime, latest(_time) as endTime, values(event_id) by computer_name
| where count4732>=1 AND count4733>=1
🌟 Did this answer help you? If so, please consider:
- Adding karma to show it was useful
- Marking it as the solution if it resolved your issue
- Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The end goal is to find what was happening during the time between those two event ids, thank you for your help. I am very new to splunk so any thoughts on the best way to do that would be appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"A security-enabled local group membership was enumerated." sounds like represented by a unique event_id. Get rid of them in the search. If there are specific key words/phrases that cannot be represented by event_id, the best is to use search term to eliminate. Finally, if there are feature words that are too hard to construct using search terms, you can use regex to eliminate.
index=example sourcetype=wineventlog computer_name="example"
NOT event_id IN (fluff_id1, fluff_id2, fluff_id3)
NOT "fluff term1" NOT "fluff term2" NOT "fluff term3"
| where NOT match(_raw, "fluff[r]egex1|fluf[f]regex2|fluf[fr]egex3")Not sure how transaction gets into the picture, however.
Dashboards: Hiding charts while search is being executed and other uses for tokens
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
