Splunk Search

stats on transaction

psobisch
Path Finder

Hello,

I wonder about how can I do stats operation like counting of something inside of a transaction?

I have a transaction including multiple events of the same kind (or multiple kinds), I would like to make a table, listing all the transactions including the count of certain events.

Do you have any hints?

Regards,
Peter

Tags (2)
0 Karma

mstark31
Path Finder

If this is something you can accomplish with stats and not transaction, I've found a way to do it.
It appears that psobisch's original problem was solved, but in case anyone lands here from a search like I did, here you go.

Let's say I have a dataset that records every time an Animal eats a certain type of Food. Multiple Animals eat multiple types of Food.
My first search to make a full list of each time an Animal eats Food was this:

index=animalfood
| transaction Animal mvlist=t
| table *

Then, I wanted to count and list, by Animal, how many times they ate each kind of food. Keeping the multivalue format was important - I only wanted each Animal listed once.

I was able to uses stats twice to accomplish what I wanted.

index=animalfood
| stats count by Animal, Food
| stats list(Food) list(count) by Animal

The first stats creates the Animal, Food, count pairs.
The second stats creates the multivalue table associating the Food, count pairs to each Animal.

DalJeanis
SplunkTrust
SplunkTrust

Correct. It's best to avoid transaction when you can. It is very resource intensive, and easy to have problems with.

To relate the values to each other, and to get a sum of how many total times the Animal ate, you could also break it out like this...

 index=animalfood
 | stats count as mycount by Animal, Food
 | eval foodcount=Food."=".mycount
 | stats values(foodcount) as FoodDetails, dc(Food) as FoodTypeCount, sum(mycount) as MealCount  by Animal
0 Karma

mstark31
Path Finder

Different approach - but cool way to solve the problem.
Also works.

I've also done a chart variation with

index=animalfood
| chart count by Animal, Food limit=0
0 Karma

Ayn
Legend

The thing about transaction is that it removes the individual events, so since the concepts of the previously existing individual events is gone it's tricky to do stats "per event". You could either calculate your statistics before running transaction, or you could use eval functions like mvcount for getting counts within multivalued fields that are created as part of the transaction. It's hard to give more specific advice without knowing more about your exact scenario.

psobisch
Path Finder

ok thanks, that's what I did now.
Works well, but I would like to have searches which are not so extensive.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...