Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is transaction not making multivalue fields in event order?

Jason
Motivator
‎08-02-2010 09:01 PM

I have a bunch of events bunched into transactions, and I am trying to use the latest (time-wise) value of a field, so I was searching with the following:

 searchquery | transaction foo maxspan=5m maxpause=1m delim="," | eval LastBar=mvindex(bar, -1)

There is only only one bar per event, thus the multivalue field is being created by transaction. The problem is LastBar is not getting set to the last (newest) bar, but to the last (highest) bar lexographically. Events in the transaction display from oldest to newest (strange, considering transactions themselves are listed from new to old, but I can live with that) but the mv order does not seem related to the event order.

Am I misunderstanding how mv fields are created/used, or is this a bug? If not a bug, how do I pull the earliest or latest event's field from a multivalue field?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Jason
Motivator
‎08-02-2010 09:05 PM

There is an option to pass to transaction to make the mv field comply with event order:

searchquery | transaction foo maxspan=5m maxpause=1m delim="," mvlist=bar | eval LastBar=mvindex(bar, -1)

This will create the multivalue bar field in event order. You can also specify mvlist=true to apply event-order to all mv fields created by transaction.

View solution in original post

Reply
Solved! Jump to solution
Solution

Jason
Motivator
‎08-02-2010 09:05 PM

There is an option to pass to transaction to make the mv field comply with event order:

searchquery | transaction foo maxspan=5m maxpause=1m delim="," mvlist=bar | eval LastBar=mvindex(bar, -1)

This will create the multivalue bar field in event order. You can also specify mvlist=true to apply event-order to all mv fields created by transaction.

Reply
Solved! Jump to solution

tonopahtaos
Path Finder
‎06-04-2012 10:47 AM

This is great information.

0 Karma
Reply
Solved! Jump to solution

Lowell
Super Champion
‎08-02-2010 09:24 PM

Also note that the transaction command will drop duplicate values in a multi-valued field. So using mvlist option, as shown here, will not only preserves order but duplicates values as well. This is very important if you want to total a field, like in this example: eventtype=ftp | transaction host pid mvlist=bytes | eventstats total_bytes=sum(bytes) by host,pid

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...