Splunk Search

How to use transaction command to find the count of users that joined a meeting within a certain time range?

mbuschle
Explorer

I have a search situation I haven't yet been able to crack. I have two sourcetypes that contain data for Web Conference meeting rooms and users. I'd like to be able to write a search that can tell me how many attendees were in each meeting room. The meeting room data looks like this:

roomid="70c11df5-21fc-4fb4-9b2e-8964a36e3a94" roomname="My Room" servernode="Node1" serverinstance="Instance1" userid="f12345678" roomactive="10/16/2014 12:03:14 PM" roomdormant="10/16/2014 12:06:23 PM"

The users data looks like this:

servernode="Node1" serverinstance="Instance1" roomid="70c11df5-21fc-4fb4-9b2e-8964a36e3a94" roomname="My Room" userid="f87654321" clienttype="web" jointime="10/16/2014 12:03:14 PM" leavetime="10/16/2014 12:03:21 PM"

I have played around with a join, but that doesn't seem to do what I need. I've had limited success with the transaction command but have not found a way to limit the transaction to the correct time frame. Basically, I'd like to know that the user joined the room between the roomactive and roomdormant fields. This is really the only way to get an accurate count, as the meeting rooms can be used multiple times throughout the day.

I've had a bit of success with a search like _ index=confdata sourcetype=Meetings OR sourcetype=MeetingUsers | transaction roomid maxpause=1h_. This does allow me to count the userid fields for each room but doesn't confine the data to the time frame when the room was active. Any help would be greatly appreciated.

Tags (2)
0 Karma

chanfoli
Builder

I suggest you look at map.

You could run your search for room data then iterate over the results with map, searching your user data using fields from your room search:

** room search | map search="search index=confdata sourcetype=MeetingUsers | where (jointime>$roomactive$ AND jointime<$roomdormant$)" maxsearches=100**

You may then add on appropriate stats to get what you want, you might want to add some evals with strptime conversions on your time fields so that your comparisons are using epoch times.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...