Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I create a transaction when not all fields are present?

mayakulkarni
New Member
‎09-06-2016 02:13 PM

Hi!

I am a Splunk beginner and have the following question.

I have some events I would like to transact, but not all field values are present in all events. E.g:

Event1: cookie, ip
Event2: c_ip (value is same as ip field in event1)
Event3: client_ip (value same as ip field in event1)

I want events that have different values for the field cookie, but the same IP to be put into a different transaction, so this is why I cannot just rename the ip fields and transact on the ip.

Thanks!

0 Karma
Reply

sundareshr
Legend
‎09-06-2016 03:46 PM

You need the coalesce command. Like this

... | eval ip=coalesce(ip, src_ip, client_ip) | transaction ip

http://blogs.splunk.com/2014/03/21/search-command-coalesce/

0 Karma
Reply

mayakulkarni
New Member
‎09-06-2016 04:12 PM

thanks, but one more questioN: I can see how this will work for the ip fields I have, but will this help for transacting based on a unique cookie and ip pair? my situation is as follows:

event1: cookie=sugar, ip=1.0
event2: c_ip=1.0
event3: client_ip=1.0

event4: cookie=chocolate, ip=1.0
event5: c_ip=1.0
event6: client_ip=1.0

in this scenario, i want events 1-3 to be transacted together, and events 4-6 to be transacted together

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...