Transaction command not returning results

ssaenger · ‎07-16-2015

I would like to extract from my log file user details on how many time they have had a request to the SGW where the number of times is gretaer than 1.
I would like to make a table showing the user_id and number of times they made the request.

i would also like to do a total count of users with more than 1 request.

I thought transaction would do this, however its not resolving any results and seems to be very slow when running the search.

index=sgw sourcetype=sgw_log Request_type=Open TxType=Request | transaction user_id | where eventcount>1 | table user_id eventcount

thanks,

lguinn2 · ‎07-16-2015

You don't need the transaction command for this. I would avoid using the transaction command, if possible, because it is not nearly as efficient as stats.

 index=sgw sourcetype=sgw_log Request_type=Open TxType=Request 
| stats count as request_count by user_id 
| appendpipe [ stats count(eval(request_count>1)) as "Users with Multiple Requests") ]

If you only want to list the users with multiple requests:

 index=sgw sourcetype=sgw_log Request_type=Open TxType=Request 
| stats count as request_count by user_id 
| where request_count > 1
|  appendpipe [ stats count as "Users with Multiple Requests") ]

Transaction command not returning results

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!