Solved: transaction command searchs according to replaced ...

crazyeva · ‎09-27-2012

XXX | streamstats count | eval _time=count | sort _time | transaction maxspan=5s

I found "tranaction" is still using original "_time" but not repaced "_time" as "count"
How could I force transaction use replaced "_time"

Or I want to devide and group events by a certain number of them in order like:
No.1,2,3,4,5
6,7,8,9,10
11,12,13,14,15

Ayn · ‎09-27-2012

Use bucket instead.

... | bucket count span=5 | stats values(...) by count

View solution in original post

Ayn · ‎09-27-2012

Use bucket instead.

... | bucket count span=5 | stats values(...) by count

Ayn · ‎10-08-2012

That idea is horribly ugly, I wrote that more in the "purely technical it could work in some weird situations" sense rather than as an actual suggestion. 🙂

crazyeva · ‎10-08-2012

thank you! perfectly solved
but did you remember you have helped me:
http://splunk-base.splunk.com/answers/53991/can-i-transaction-a-search-with-a-range-field-not-strict...
when you said:"
.........
The only way I could think of is to violate the _time somehow by writing perduration to _time and let transaction operate on that.
"
I wished that could work! that may be quite useful

transaction command searchs according to replaced "_time" ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life