transaction query

srajanbabu · ‎10-18-2013

I have a search as source="C:\\Data\\acctdata\\snm4-logger.log" | transaction FILENAME_FIELD keepevicted=true| where mvcount(BYTES_FIELD)>1 | table FILENAME_FIELD BYTES_FIELD
producing filename and bytes transferred in each file.
Also i have a search as source="C:\\Data\\acctdata\\snm4-logger.log" | transaction Plainuserip keepevicted=true| where mvcount(FILENAME_FIELD)>1 | table Plainuserip FILENAME_FIELD
producing username and files transferred by each user.
I want to combine the the above two searches to produce the result as follows

Plainuserip FILENAME_FIELD BYTES_FIELD 1 EMBT01UK file corpfile5430695 148 bytes transferred 148 bytes transferredSSNM5

alacercogitatus · ‎10-18-2013

source="C:\\Data\\actdata\\snm4-logger.log" | transaction Plainuserip FILENAME_FIELD keepevicted = true | stats values(BYTES_FIELD) by Plainuserip FILENAME_FIELD

Might get you close to what you want.

transaction query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation

transaction query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud