Splunk Search

How to split a transaction?

vbumgarner
Contributor

I'm using

transaction ... | search duration>x

to eliminate some noise, but then I want to break the events back out of the transaction and use stats against what is left. I was thinking mvexpand would help me, but I'm not having any luck.

Tags (1)
1 Solution

carasso
Splunk Employee
Splunk Employee

The other answers here seemed to have focused on raw. I'm not sure why, because the question said he wants to do stats. Regardless, the other answers are now unnecessarily convoluted. In 4.3 we added the "mvraw=true" option to transaction, so _raw can be a true multivalued field.

Regarding stats, mvexpand should work fine. It's unclear what probably the questioner had with it.

View solution in original post

carasso
Splunk Employee
Splunk Employee

The other answers here seemed to have focused on raw. I'm not sure why, because the question said he wants to do stats. Regardless, the other answers are now unnecessarily convoluted. In 4.3 we added the "mvraw=true" option to transaction, so _raw can be a true multivalued field.

Regarding stats, mvexpand should work fine. It's unclear what probably the questioner had with it.

hexx
Splunk Employee
Splunk Employee

Here's an alternative method using rex.

For testing purposes let's associate events from metrics.log in clumps of 4 with :

index=_internal source=*metrics.log | transaction maxevents=4 source

This yields transaction meta-events that look like this :


12-29-2011 08:51:52.940 -0800 INFO  Metrics - group=queue, name=tcpin_queue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
12-29-2011 08:51:52.940 -0800 INFO  Metrics - group=queue, name=typingqueue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=58, smallest_size=0
12-29-2011 08:51:52.940 -0800 INFO  Metrics - group=realtime_search_data, system total, drop_count=0
12-29-2011 08:51:52.940 -0800 INFO  Metrics - group=search_concurrency, system total, active_hist_searches=0, active_realtime_searches=0

To get the original _raw field back (and therefore, display the original events) I use rex with a "delimiter" regex matching the date at the beginning of my event, and then all characters until a CLRF. This creates one multi-value field per transaction containing the pre-transaction values of _raw, which we can then expand back to a single-value field with mvexpand:

index=_internal source=*metrics.log | transaction maxevents=4 source | eval transaction_raw=_raw | rex max_match=1000 "(?msi)^(?[01]\d-[0-3]\d-2011\s[^\r\n]*?)$" | mvexpand raw | eval _raw=raw

Remarks :

  • For the delimiter regex to work, you need to specify max_match with a value equal to or higher than the maximum number of events you expect in your transaction.
  • The regex will need to be reworked if your original events span multiple lines.
  • A transition field (here raw) is necessary. You cannot restore _raw directly unto itself.
  • We conserved the transaction's own _raw in transaction_raw which allows to still report on the transaction results. The transaction special fields are also conserved.

sideview
SplunkTrust
SplunkTrust

mvexpand wont do it because mvexpand only works on multivalued fields.

http://www.splunk.com/base/Documentation/latest/SearchReference/Mvexpand

you can however turn the event text (technically the field is called _raw) into a multivalued field with eval split(_raw, "\n") though.

<your search> | eval _raw = split(_raw, "\n") | mvexpand _raw
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...