7/29/2023 0 Comments Splunk transaction startswithOr I don't understand how this command works at all. So either I'm just that good at writing transaction commands. With this, you should have the info to write that report you wanted." And each receipt is organized by timestamp. Instead of saying, "Hey I broke these events into multiple receipts showing when the tunnel went down and when it came back up again. See these list of files, based on this 1 line I want them grouped this way."Īnd yet somehow Transaction turned around and said, "Oh! Okay, here you go." So my second question is, "How did transaction just 'know' to group like events together?"īecause, even with the correct options and constraints, I can very easily see a scenario where transaction says, "Hey I took the Columbus Ohio firewall logs and grouped all the events into 1 long receipt. But I never told Transaction, "Hey buddy. I manually checked the pre and post transaction command. Transactions appears to look at the list of events and say 'these events belong together based on that 1 search'. But to add insult to injury when I type this: 'transaction device_name startswith=tunnel-down endswith=tunnel-up' it just works as expected. I get that if I type just: 'transaction device_name' this is what will happen - 1 long receipt with every transaction on it. But if I look at what I've typed up above my first question is, "Whoa! Why doesn't transaction grab all the events and put them into 1 long receipt?" To start - I understand that Transaction will group sets of data based on the criteria you specify. I fully understand the logic and the decision making behind it. | transaction device_name startswith=tunnel-up endswith=tunnel-down Sourcetype="cisco:firewall" index=firewall (event_id="tunnel-up" OR event_id="tunnel-down") | transaction device_name startswith=tunnel-down endswith=tunnel-up So that when something like this comes up: sourcetype="cisco:firewall" index=firewall (event_id="tunnel-up" OR event_id="tunnel-down") No, I'm not going to take Transaction out on a date but I'd like to get to know it and learn what makes it tick. But after using Transaction i've started going, "Whoa! This is incredibly useful." So on top of trying to get a better understanding of how Transaction works, I figured I'd share what it was I knew.īecause I realize I don't understand 'how' transaction works on any deep and meaningful level. Because, up until recently, I'd mainly stuck to stats and eval for a lot of my reports and alerts. NOTE: Use transaction when you need to see events correlated together and also must define event grouping based on start / end values.So when I originally wrote this post it was to better understand how the Transaction command works. In your case, you need to use the last shown example. ![]() Startswith=action="addtocart" endswith=action="purchase" Transaction command: startswith / endswith : To form transactions based on terms, field values or evaluations, use startswith
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |