annotated raw field in transactions

Dan Goldburt asks:

I'm consistently getting the following request from customers: "can I see where each event came from?". If they have this 150+ line transaction and want to scan through it, it helps to see the host, sourcetype, etc... next to each component event. (for a deep dive, I attached an email where I was working on this for another customer and couldn't come up with a satisfactory answer). Has anyone else heard this complaint?

transactions

asked 11 Feb '10, 18:21

Ledion Bitincka ♦
1.5k●3●6
accept rate: 35%

One Answer:

oldest newest most voted

A fairly crude way of seeing the source/sourcetype/host next to each individual event is to concat the value of those fields into _raw before doing the transaction, e.g.

… | eval _raw = source . “;” . sourcetype . “;” . host . “;” . _raw | transaction …

SteveZ

link

answered 11 Feb '10, 18:22

Ledion Bitincka ♦
1.5k●3●6
accept rate: 35%

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

transactions ×134

Asked: 11 Feb '10, 18:21

Seen: 586 times

Last updated: 25 Feb '10, 18:29

annotated raw field in transactions

Follow this question

Splunk Resources

Related questions