I am trying to determine the sequence of pageviews that a visitor visits. I have the following query:
eventtype="AnalyticsLog" | transaction SessionID | makemv uri | eval homeoffset=mvfind(uri, "/") | eval signupoffset=mvfind(uri, "/signup") | eval infooffset=mvfind(uri, "/info") | table SessionID uri homeoffset signupoffset infooffset
When I run the query, the transactions are always sorted alphabetically, so regardless of whether a visitor goes to / -> /signup -> /info or / -> /info -> /signup, the offsets always indicate / = 0, /info = 1 and /signup = 2
How would I go about determining the order of pages viewed by a visitor?
Stumbled across the answer!
Multivalue rendering options
mvlist=<bool> | <field-list>
Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.
Yeah, the magic mvlist does the job, I've provided an example usage here as well:
http://foren6.wordpress.com/2014/11/18/why-is-my-splunk-transaction-not-working/
Stumbled across the answer!
Multivalue rendering options
mvlist=<bool> | <field-list>
Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.
confirmed bug? expected behaviour? incorrect usage?
Here is a sample, retrieved by adding the following to the query:
| search SessionID="6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4".
The transaction shows that /login should be 0, /dashboard = 1 and /profile = 2. This is the event returned by the transaction:
2012-08-03T14:04:32.999Z | INFO | {"sessionId":"6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4","uri":"/login"}
2012-08-03T14:04:36.996Z | INFO | {"sessionId":"6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4","uri":"/dashboard"}
2012-08-03T14:04:37.240Z | INFO | {"sessionId":"6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4","uri":"/profile"}
actual results:
This is happening in splunkstorm and a local installation of 4.3.1
Is this a bug in the mvfind command?