I'm trying to mvexpand multiple fields from a transaction, particularly a time and uri_path from an Apache-style access log.
I'm trying this out but it does not work correctly, as it duplicates several fields:
eventtype=web_logs_valid user=* uri_path != /server*/*
| eval orig_time = _time
| transaction user useragent
| streamstats count as i
| mvexpand uri
| mvexpand orig_time
| table i orig_time uri
What is the proper way of expanding multiple fields from a transaction?
The "proper" way is to never user transaction
at all. Try this:
eventtype=web_logs_valid user=* uri_path != /server*/*
| streamstats window=2 range(_time) AS pause BY user useragent
| streamstats count(eval(pause>300)) AS sessionID by user useragent
| table _time sessionID uri user useragent
Just guessing, but perhaps this will work better.
eventtype=web_logs_valid user=* uri_path != /server*/*
| eval orig_time = _time
| stats values(*) as * by user, useragent
| streamstats count as i
| mvexpand uri
| mvexpand orig_time
| table i orig_time uri