12/27/2023 0 Comments Splunk transaction mvlistYou will need to recreate this lookup when you want to perform your transaction search because new incoming data could have new JOBID's and SUBJOBID's. | lookup keyLookup JOBID as JOBID OUTPUT key as key | lookup keyLookup SUBJOBID as SUBJOBID OUTPUT key as key | transaction key Now you can use keyLookup in a search to add a key to each record with a JOBID or SUBJOBID, then create a transaction based on key. For the rest of this answer, I'll refer to this lookup as keyLookup. For information on how to create a lookup, see the docs here. The JOBID and SUBJOBID fields should be set as input fields and the key field should be an output field. | stats values(SUBJOBID) as SUBJOBID by JOBID | eval key=JOBID + "-" + mvjoin(SUBJOBID,"-") | mvexpand SUBJOBIDĮxport the results of the above search as a csv file (either through | outputcsv or through the export button on the GUI) and use it to set up a new lookup. Your search might look something like this. In the search, also include the fields that will be needed for correlation later, which are JobID and SubJobID. So first create a key where each record consists of a JobID and all of that JobID's SubJobID's. I'd do this only if you will need to create this kind of transaction fairly often. (optional) Set up a scheduled search job that will keep the lookup updated with new keys as new information is added.Use the lookup in your transaction search.Create a lookup that contains the JobID, SubJobID, and newly created key.Create a key that will tie together all JobID's and SubJobID's.My suggestion is a little complicated but should work. Going down the log, the transactions can be found nested into each other and furthermore there are events not belonging to any transaction - just like in real (server log) life. The red and green one have events related by SUBJOBIDS to the main transaction (JOBID). Shown here: three transactions within one log snippet (the red framed, the blue framed and the green framed). Maybe the following graphic illustrated my complex transaction topic a little less abstract. I've tried using the command transaction JOBID, SUBJOBID mvlist=true but splunk returned four Events and not the expected single one: How to use the transaction command to get all these events belonging to JOBID=901031 like shown above? A typical search result contains events like JOBID=901031 My transactions consist of two fields named JOBID and SUBJOBID.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |