Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to perform stats within a transaction?

the_wolverine
Champion
‎10-24-2013 03:23 PM

I have a transaction with multiple values for the same field. Is it possible for me to do a dc(other_field) within a transaction?

My search | transaction same_field maxspan=1m | stats dc(other_field)

Above doesn't seem to work, it just throws away my transactions.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

wpreston
Motivator
‎10-24-2013 06:09 PM

I think mvcount() could be your friend here. Something along these lines:

your search | transaction same_field maxspan=1m | eval same_field_count=mvcount(same_field)

...something like that. same_field_count should be a count of the distinct values of same_field within each transaction. If you want a total count of ALL values of same_field (including duplicates) within each transaction, use the mvlist option within your transaction. I'm not where I can test this search but I think it will be pretty close to what you need.

View solution in original post

Reply
Solved! Jump to solution
Solution

wpreston
Motivator
‎10-24-2013 06:09 PM

I think mvcount() could be your friend here. Something along these lines:

your search | transaction same_field maxspan=1m | eval same_field_count=mvcount(same_field)

...something like that. same_field_count should be a count of the distinct values of same_field within each transaction. If you want a total count of ALL values of same_field (including duplicates) within each transaction, use the mvlist option within your transaction. I'm not where I can test this search but I think it will be pretty close to what you need.

Reply
Solved! Jump to solution

nivedita_viswan
Path Finder
‎05-26-2015 10:08 AM

I dont believe mvcount returns a count of the distinct values. It simply returns a count of the number of values

0 Karma
Reply
Solved! Jump to solution

wpreston
Motivator
‎10-25-2013 06:26 PM

Sure, happy to help!

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎10-25-2013 11:43 AM

Yes! Thank you!!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-24-2013 04:37 PM

eventstats perhaps?

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...