Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

sum fields with same name on transaction

schose
Builder
‎05-13-2014 07:08 AM

Hi community,

I've some kind of webserver log. i want to get the traffic per transaction.. so far I'm getting the whole transaction with
search index="myindex" | transaction user
one event looks good like:

user login.html ...

page1.html size=100kb ...

pageN.html size=200kb ...

logoff.html

now i need to have sum for all "size" of a transaction. Is this possible? Do i have to write a pre-parsing script which may insert some kind of transaction id into the logfile before indexing it? Is there some kind of transactionid created when using "transaction"?

Thanks for you help in advance!

Andreas

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎05-13-2014 07:34 AM

There is field called _cd created by transaction command which can uniquely identify each transactions. I am assuming you already have a field (multivalued) which holds the size value in numeric form (if not add eval statements before transaction to do that), then you can use something like this to get the sum of size for each identified transactions

search index="myindex" | transaction user | eventstats sum(size) as TotalSize by _cd

View solution in original post

Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎05-13-2014 07:37 AM

This should get you going. I didn't have a user value other than - so I used clientip and renamed by bytes field to size so you can just ignore that part of my search. Transaction let's you take any given field that and push all the different event lines into a single event. It also creates a duration field and has many other options. Here are a few ways to get you going:

sourcetype=access_combined | rename bytes as size | rename clientip as user | eventstats sum(size) as subTotal by user | transaction user | table user size subTotal | streamstats sum(subTotal) as SubTotalSoFar

sourcetype=access_combined | rename bytes as size | rename clientip as user | transaction user | stats  sum(size) as subTotal by user

You may not really need transaction at all since it is expensive to use and just do this:

sourcetype=access_combined | rename bytes as size | rename clientip as user | stats  sum(size) as subTotal by user

I hope this gets you going.

Reply
Solved! Jump to solution
Solution

somesoni2
SplunkTrust
SplunkTrust
‎05-13-2014 07:34 AM

There is field called _cd created by transaction command which can uniquely identify each transactions. I am assuming you already have a field (multivalued) which holds the size value in numeric form (if not add eval statements before transaction to do that), then you can use something like this to get the sum of size for each identified transactions

search index="myindex" | transaction user | eventstats sum(size) as TotalSize by _cd
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...