- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- ordering of fields in a transaction (mvfind bug?)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to determine the sequence of pageviews that a visitor visits. I have the following query:
eventtype="AnalyticsLog" | transaction SessionID | makemv uri | eval homeoffset=mvfind(uri, "/") | eval signupoffset=mvfind(uri, "/signup") | eval infooffset=mvfind(uri, "/info") | table SessionID uri homeoffset signupoffset infooffset
When I run the query, the transactions are always sorted alphabetically, so regardless of whether a visitor goes to / -> /signup -> /info or / -> /info -> /signup, the offsets always indicate / = 0, /info = 1 and /signup = 2
How would I go about determining the order of pages viewed by a visitor?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stumbled across the answer!
Multivalue rendering options
mvlist=<bool> | <field-list>
Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, the magic mvlist does the job, I've provided an example usage here as well:
http://foren6.wordpress.com/2014/11/18/why-is-my-splunk-transaction-not-working/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Stumbled across the answer!
Multivalue rendering options
mvlist=<bool> | <field-list>
Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
confirmed bug? expected behaviour? incorrect usage?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a sample, retrieved by adding the following to the query:
| search SessionID="6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4".
The transaction shows that /login should be 0, /dashboard = 1 and /profile = 2. This is the event returned by the transaction:
2012-08-03T14:04:32.999Z | INFO | {"sessionId":"6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4","uri":"/login"}
2012-08-03T14:04:36.996Z | INFO | {"sessionId":"6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4","uri":"/dashboard"}
2012-08-03T14:04:37.240Z | INFO | {"sessionId":"6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4","uri":"/profile"}
actual results:
- mvfind(uri, "/login"): 1
- mvfind(uri, "/dashboard"): 0
- mvfind(uri, "/profile"): 2
This is happening in splunkstorm and a local installation of 4.3.1
Is this a bug in the mvfind command?
Introducing the Splunk Community Dashboard Challenge!
Get the T-shirt to Prove You Survived Splunk University Bootcamp
Wondering How to Build Resiliency in the Cloud?
