Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use transaction command to find the count of users that joined a meeting within a certain time range?

mbuschle
Explorer
‎10-16-2014 09:23 AM

I have a search situation I haven't yet been able to crack. I have two sourcetypes that contain data for Web Conference meeting rooms and users. I'd like to be able to write a search that can tell me how many attendees were in each meeting room. The meeting room data looks like this:

roomid="70c11df5-21fc-4fb4-9b2e-8964a36e3a94" roomname="My Room" servernode="Node1" serverinstance="Instance1" userid="f12345678" roomactive="10/16/2014 12:03:14 PM" roomdormant="10/16/2014 12:06:23 PM"

The users data looks like this:

servernode="Node1" serverinstance="Instance1" roomid="70c11df5-21fc-4fb4-9b2e-8964a36e3a94" roomname="My Room" userid="f87654321" clienttype="web" jointime="10/16/2014 12:03:14 PM" leavetime="10/16/2014 12:03:21 PM"

I have played around with a join, but that doesn't seem to do what I need. I've had limited success with the transaction command but have not found a way to limit the transaction to the correct time frame. Basically, I'd like to know that the user joined the room between the roomactive and roomdormant fields. This is really the only way to get an accurate count, as the meeting rooms can be used multiple times throughout the day.

I've had a bit of success with a search like _ index=confdata sourcetype=Meetings OR sourcetype=MeetingUsers | transaction roomid maxpause=1h_. This does allow me to count the userid fields for each room but doesn't confine the data to the time frame when the room was active. Any help would be greatly appreciated.

Tags (2)
0 Karma
Reply

chanfoli
Builder
‎10-16-2014 11:29 AM

I suggest you look at map.

You could run your search for room data then iterate over the results with map, searching your user data using fields from your room search:

** room search | map search="search index=confdata sourcetype=MeetingUsers | where (jointime>$roomactive$ AND jointime<$roomdormant$)" maxsearches=100**

You may then add on appropriate stats to get what you want, you might want to add some evals with strptime conversions on your time fields so that your comparisons are using epoch times.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...