×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Georgi
Engager
Member since: ‎09-14-2021
‎09-16-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎09-14-2021
View All

Re: How to extract sub-transactions from transacti...

by in Splunk Search
‎09-16-2021 02:01 AM
‎09-16-2021 02:01 AM
Spot on! Thanks, the "sort" is the part I was missing to put the transactions next to each other. Just for transparency, those prefix lines are standard rfc5424 syslog fields, so a Splunk addon I have is already extracting them for me so I have _time, host, appname, procid already extracted. The final search to do the trick looks like this (minimizing the changes to demonstrate what was important here based on your input). appname=sftp-server | rex field=_raw "session (opened|closed) for local user (?<sftp_user>[^ ]+) from" | rex field=_raw "close \".*\" bytes read (?<sftp_bytes_read>\d+)" | sort 0 host appname procid _time | filldown sftp_user | timechart sum(sftp_bytes_read) by sftp_user   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎09-16-2021 05:48 AM