Solved: Transaction command: How to get the latest value o...

koshyk · ‎04-29-2019

As per the given example , I was looking to find the "value" of a field which is part of the 1st leg of the transaction

eg

2019-04-29 14:00:01  empID=123 empName=Joe sequence=DAY1 page=adminPage.jsp
2019-04-29 14:00:02  empID=123 department=Marketing sequence=DAY2 page=secondPage.jsp

...   | transaction empID startswith="DAY1" endswith="DAY2" maxspan=10s keeporphans=true

If I do the above, but do a

...   
| transaction empID startswith="DAY1" endswith="DAY2" maxspan=10s keeporphans=true
| stats count by empID,page

I will get two rows, because of "page" being present in 1st leg and 2nd leg

If I need to just the "page" value from the 1st leg of transaction, what should i Do?
(I can't do latest(page) after Transaction, as the time is both same. Also I don't have control over what happens above transaction command NOR in the transaction command as it is part of a wider macro search)

I'm expecting an output of

empID,page
123,adminPage.jsp;secondPage.jsp

somesoni2 · ‎04-29-2019

Give this a try

........
 | transaction empID startswith="DAY1" endswith="DAY2" maxspan=10s keeporphans=true mvlist=t
| eval page=mvindex(page,0)
 | stats count by empID,page

View solution in original post

somesoni2 · ‎04-29-2019

Give this a try

........
 | transaction empID startswith="DAY1" endswith="DAY2" maxspan=10s keeporphans=true mvlist=t
| eval page=mvindex(page,0)
 | stats count by empID,page

koshyk · ‎05-06-2019

thanks mate for the idea

Transaction command: How to get the latest value of field after transcation command?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!