Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to count an event based on a unique variable?

zach5871
Explorer
‎01-30-2016 07:46 PM

My question may be somewhat misleading, but I'm trying to plot a timechart of one event field based on common variables within each event.

So each call activity produces three event records with a common "CC{@id}" "CC.dialogId". I have a working search counting the number of calls:

index="fe_test" sourcetype=fe_xml  source=$site_token$ $group_token$ | stats min(_time) AS start max(_time) AS end by "CC{@id}" "CC.dialogId"  | stats count AS "Total Calls"

This gives a stats count of total calls. And I have a working timechart that plots how active each site is:

index="fe_test" source=$site_token$ $group_token$ | timechart count by site_name limit=15

But the results are multiplied by a factor of 3. I'm trying to have the timechart of "site_name" events tied to the common "CC{@id}" "CC.dialogId" to that record.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎01-31-2016 11:46 AM

There are a couple of mechanisms to do this if I'm reading your question correctly.

If you mean you have events that come in groups of three, and when you do a timechart count of them you get three times the results, then your easiest way to handle this is to restrict your search more. This assumes that there's a way to identify only ONE of the three events that come in, but if there is you can just add that addition search filter to your base search. Like, "sessionstart" or something. I don't have any samples of your data, so I couldn't fathom what this would be, but maybe you can find something.

Otherwise if CC.dialogid is actually unique for each set of three events (i.e. it never repeats, or at least not often), then you could create a transaction out of it. I don't have any sample data, but a guess would be...

index="fe_test" sourcetype=fe_xml source=$site_token$ $group_token$ 
| transaction "CC{@id}" "CC.dialogId" maxspan=1h 
| timechart count by site_name limit=15

This gives you information much like stats does, too (or can - see the docs I liked), but should in any case make timechart behave properly.

Or, as a quick fix, and I really don't recommend this because it's too fragile, you could just divide your answer by three at the end of all that. 🙂 ...|eval count=count/3 ...

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎01-31-2016 11:46 AM

There are a couple of mechanisms to do this if I'm reading your question correctly.

If you mean you have events that come in groups of three, and when you do a timechart count of them you get three times the results, then your easiest way to handle this is to restrict your search more. This assumes that there's a way to identify only ONE of the three events that come in, but if there is you can just add that addition search filter to your base search. Like, "sessionstart" or something. I don't have any samples of your data, so I couldn't fathom what this would be, but maybe you can find something.

Otherwise if CC.dialogid is actually unique for each set of three events (i.e. it never repeats, or at least not often), then you could create a transaction out of it. I don't have any sample data, but a guess would be...

index="fe_test" sourcetype=fe_xml source=$site_token$ $group_token$ 
| transaction "CC{@id}" "CC.dialogId" maxspan=1h 
| timechart count by site_name limit=15

This gives you information much like stats does, too (or can - see the docs I liked), but should in any case make timechart behave properly.

Or, as a quick fix, and I really don't recommend this because it's too fragile, you could just divide your answer by three at the end of all that. 🙂 ...|eval count=count/3 ...

Reply
Solved! Jump to solution

zach5871
Explorer
‎02-01-2016 05:10 AM

This is exactly the solution I was looking for! As background, this is a mobile radio system that logs the "cc{@id}" as an initiated call across all sites with users listening to that group. Each site then creates a start, stop, and update with the same common "cc{@id}". Thank you once again. This software has gained attention around here faster than I can gain the knowledge to suffice. I'm sure I'll be back...

Reply
Solved! Jump to solution

ppablo
Retired
‎02-01-2016 10:51 AM

Hi @zach5871

Glad you were able to find a solution through @rich7177 🙂 Please don't forget to resolve the post by clicking "Accept" directly below his answer. This will make your question easier to find for other users with a similar issue. Oh, and don't forget to upvote rich by clicking the up arrow to the left of his answer since he helped you out. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...