Splunk Search

Counting Number of Events Matching Search in a Transaction

kevinrentenna
New Member

I have a number of events, correlated in a transaction by a field called distinct_id. The typical transaction setup is:

type=client 
| transaction distinct_id startswith="visit" maxpause=30m

Now, what I want to know is the number of events within the transaction that match some particular search for example, lets say event=='pageView'. The following does accomplish what I want:

type=client 
| eval matchesSearch=if(event=="pageView", random(), NULL) 
| transaction distinct_id startswith="visit" maxpause=30m 
| eval numberMatches=mvcount(matchesSearch)

But it hardly seems like the best way. I'm wondering if there is a better way to do this.

*To be clear, the searches in question are far more complicated than this, just wanted to simplify it for example.

Tags (2)
0 Karma

bfernandez
Communicator

Other option.

After making the transaction you can extract a multivarible field that contains all the matches to finally sum the number of items in it.

index=webnavigation
| transaction maxspan=24h maxpause=30m cs_username
| rex max_match=0 "pageview(?.)" <-- just to extract every match on individual events
| eval countPV = mvcount(PV) <- count the mv items
| stats sum(countPV) as PageViews. <- sum of pageviews on transactions

You can try both to see which is more efficient

0 Karma

mikehale0
Explorer

I think eventcount may be what you are looking for. From http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Transaction.

The transaction command produces two fields, duration and eventcount. The duration value is the difference between the timestamps for the first and last events in the transaction. The eventcount value is the number of events in the transaction.

Ayn
Legend

The thing is, once you've run transaction it becomes harder to talk about individual events because you just effectively removed the individual events and replaced them with the combined events created by transaction. So off the top of my head I don't know of a better way of doing this than what you're already doing.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...