Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

transaction command: How to group events ONLY on specific conditions?

koshyk
Super Champion
‎08-10-2018 01:57 AM

We have got a system, whereby an event-pairing occurs only for specific type of messageId

event=1 messageId=100 requestor=human1 
event=2 messageId=200 requestor=human2 
event=3 messageId=201 requestor=human2
event=4 messageId=300 requestor=human3
event=5 messageId=300 requestor=human4
event=6 messageId=300 requestor=human4

In above example, we need to group the events ONLY if the messageId is 20* (ie in 200's)and based on requestor.
Currently the simple query is:

... | transaction requestor

Looking for output something like.. So event=2 and event=3 will be a single transaction

event=1 messageId=100 requestor=human1 
event=2 messageId=200 requestor=human2  event=3 messageId=201 requestor=human2
event=4 messageId=300 requestor=human3
event=5 messageId=300 requestor=human4
event=6 messageId=300 requestor=human4

I'm looking for something 

... | transaction requestor where messageId=20*

PS: I don't want to group for messageId=300 even if its same requestor (event 5 & 6)

Ideally looking for transaction to be done only on specific events without needing multiple queries on raw data
Any ideas/tricks to do this?

0 Karma
Reply

adonio
Ultra Champion
‎08-10-2018 03:33 AM

maybe filter before the transaction?
index = <your_index> sourcetype = <your_sourcetype> messageId = 20* ... | transaction ....
what is your desired outcome of the search

0 Karma
Reply

koshyk
Super Champion
‎08-10-2018 12:10 PM

hi mate, i have put the desired outcome of result in the Question itself..
In your logic it gives ONLY events with 20* for transaction command. So only 20* will be output, but will remove rest of messages

0 Karma
Reply

adonio
Ultra Champion
‎08-11-2018 06:07 PM

i think i understand now.
the search below is not perfect, as it relays on random function and maybe occasionally you will hit the random number generated twice with same requestor but i find it very unlikely. you can also increase the number on that function as high as you see fit

   | makeresults count = 1 
    | eval data = "event=1,messageId=100,requestor=human1;
     event=2,messageId=200,requestor=human2;
     event=3,messageId=201,requestor=human2;
     event=4,messageId=300,requestor=human3;
     event=5,messageId=300,requestor=human4;
     event=6,messageId=300,requestor=human4"
     | makemv delim=";" data 
     | mvexpand data
     | eval _time = now() - random()%100
     | eval _raw = data
     | extract  pairdelim=",", kvdelim="="
     | table _time _raw event messageId requestor
     | rename COMMENT as "the above generates data below is the solution" 
     | eval trans_event = if(like(messageId,"20%"),"1",random()%100000000000)
     | transaction requestor trans_event

hope you like it

Reply

koshyk
Super Champion
‎08-12-2018 10:28 AM

i liked the concept. I will try it in my scenario and let you know. In the meantime, i've upvoted your comment

0 Karma
Reply

marthodder
Explorer
‎08-10-2018 02:20 AM

have you tried keeporphans=true, this should display all other results alongside any groupings?

0 Karma
Reply

koshyk
Super Champion
‎08-10-2018 12:13 PM

I tried that, but how to ensure it groups only the 20* messages?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...