I found out what was causing my issue; a paragraph return. In my copying- and pasting back an forth to notepad, I guess I must have hit return once right after stats ; and with the small input text box for Splunk I just assumed that line wrapped because the next word was long.
Now I can use this: index="xxx" `create_transaction(fieldname,searchterm)`
##[create_transaction]
$search_field$="$search_term$" |
stats dc(session_status) as session_status_count,
values(session_status) as session_status,
last(src_mac) as src_mac,
last(src_ip) as src_ip,
last(dest_ip) as dest_ip,
last(user) as user,
last(user_group) as user_group,
last(src_nt_group) as src_nt_group,
last(src_country_color) as src_country_color,
last(_time) as session_start_time,
first(_time) as session_end_time,
first(date_wday_short) as www,
first(date_month_num) as MM,
first(date_year) as YYYY,
first(date_mday) as dd,
last(src_nt_host) as src_nt_host,
last(src_os_software) as src_os_software,
last(src_os_version) as src_os_version,
last(src_country) as src_country,
last(src_region) as src_region,
last(src_city) as src_city, by session_id |
strcat www ": " MM "." dd "." YYYY fullDate |
eval time=strftime(session_start_time,"%H:%M") |
eval active_duration=tostring((now()-session_start_time),"duration") |
eval timeDelta=tostring((session_end_time-session_start_time),"duration") |
eval duration=if(session_status="logout",timeDelta,active_duration) |
table session_id, user, time, fullDate, duration, src_ip, dest_ip, src_mac, src_nt_host,
src_os_software, src_os_version, src_country, src_region, src_city |
sort -session_id
Note: In the actual macro, the line returns are removed (as I have learned).
... View more