I'm using
transaction ... | search duration>x
to eliminate some noise, but then I want to break the events back out of the transaction and use stats against what is left. I was thinking mvexpand would help me, but I'm not having any luck.
The other answers here seemed to have focused on raw. I'm not sure why, because the question said he wants to do stats. Regardless, the other answers are now unnecessarily convoluted. In 4.3 we added the "mvraw=true" option to transaction, so _raw can be a true multivalued field.
Regarding stats, mvexpand should work fine. It's unclear what probably the questioner had with it.
The other answers here seemed to have focused on raw. I'm not sure why, because the question said he wants to do stats. Regardless, the other answers are now unnecessarily convoluted. In 4.3 we added the "mvraw=true" option to transaction, so _raw can be a true multivalued field.
Regarding stats, mvexpand should work fine. It's unclear what probably the questioner had with it.
Here's an alternative method using rex.
For testing purposes let's associate events from metrics.log in clumps of 4 with :
index=_internal source=*metrics.log | transaction maxevents=4 source
This yields transaction meta-events that look like this :
12-29-2011 08:51:52.940 -0800 INFO Metrics - group=queue, name=tcpin_queue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=0, smallest_size=0
12-29-2011 08:51:52.940 -0800 INFO Metrics - group=queue, name=typingqueue, max_size_kb=500, current_size_kb=0, current_size=0, largest_size=58, smallest_size=0
12-29-2011 08:51:52.940 -0800 INFO Metrics - group=realtime_search_data, system total, drop_count=0
12-29-2011 08:51:52.940 -0800 INFO Metrics - group=search_concurrency, system total, active_hist_searches=0, active_realtime_searches=0
To get the original _raw
field back (and therefore, display the original events) I use rex with a "delimiter" regex matching the date at the beginning of my event, and then all characters until a CLRF. This creates one multi-value field per transaction containing the pre-transaction values of _raw
, which we can then expand back to a single-value field with mvexpand
:
index=_internal source=*metrics.log | transaction maxevents=4 source | eval transaction_raw=_raw | rex max_match=1000 "(?msi)^(?[01]\d-[0-3]\d-2011\s[^\r\n]*?)$" | mvexpand raw | eval _raw=raw
Remarks :
max_match
with a value equal to or higher than the maximum number of events you expect in your transaction.raw
) is necessary. You cannot restore _raw
directly unto itself._raw
in transaction_raw
which allows to still report on the transaction results. The transaction special fields are also conserved.mvexpand wont do it because mvexpand only works on multivalued fields.
http://www.splunk.com/base/Documentation/latest/SearchReference/Mvexpand
you can however turn the event text (technically the field is called _raw) into a multivalued field with eval split(_raw, "\n")
though.
<your search> | eval _raw = split(_raw, "\n") | mvexpand _raw