Splunk Search

Search, top, count inside a transaction

emaccaferri
Communicator

Hi!
I would like to know the frequency of each value of a certain field inside a transaction, for example:
my event after transaction (mvlist=t) are

23/07/2013 17:09 userdi1 value1
                 userid1 value2
                 userid1 value1
                 userid1 value3
                 userid1 value2
                 userid1 value1



23/07/2013 14:09 userid2 value2
                     userid2 value2
                     userid2 value2
                     userid2 value3
                     userid2 value2
                     userid2 value3

I wish to get the result:

23/07/2013 17:09 userdi1 value1 3
                         value2 2
                         value3 1

23/07/2013 14:09 userid2 value2 4
                         value3 2

I think to need transaction because in my log I have more than one "event" (section) for the same user.
This search

 index=ing sourcetype=callcenter | transaction maxpause=30m cif mvlist=t | stats count(value) by value 

doesn't work.
My impression is that top or something similar inside a transaction without breakink it it impossible.
Any suggestion?
Thanks for your time

Tags (1)
0 Karma

emaccaferri
Communicator

Can be in this way, the important thing is count number of event with that value

0 Karma

ftk
Motivator

Since the transaction command groups events based on the common identifier and then basically creates a new event containing all of the transaction's events, you can do your counts based on _time (as each transaction will have a unique _time) value.

In your example you could do as follows:

index=ing sourcetype=callcenter | transaction maxpause=30m cif | stats count(value) by _time, cif, value

Which would give you a results set similar to this:

23/07/2013 17:09 userid1 value1 3
23/07/2013 17:09 userid1 value2 2
23/07/2013 17:09 userid1 value3 1

23/07/2013 14:09 userid2 value2 4
23/07/2013 14:09 userid2 value3 2

Each unique value of _time indicates the counts for a single transaction.

emaccaferri
Communicator

1003411 27/05/2013 10:40 value1
1003411 27/05/2013 10:41 value1
1003411 27/05/2013 10:43 value2
1008980 27/05/2013 12:21 value1

1008980 27/05/2013 12:21 value2

1008980 27/05/2013 12:21 value3

1008980 27/05/2013 12:21 value2

1008980 27/05/2013 12:23 value3
1008980 27/05/2013 12:23 value3

and so on

0 Karma

ftk
Motivator

Do you mind posting a single sample event (before using transaction)? Maybe I am assuming something in my test data that is not present.

0 Karma

emaccaferri
Communicator

Yes, that field is extacted at search-time. But I don't understand, how is it possible that for you is working and not for me? I made copy&paste

0 Karma

ftk
Motivator

In my answer I assumed that "value" is an extracted field. Is this correct? If it is an extracted field then the search I gave you aggregates the counts fine (I tested it on sample data).

0 Karma

emaccaferri
Communicator

This doesn't work either. The result become like
23/07/2013 17:09 userid1 value1 6
23/07/2013 17:09 userid1 value2 6
23/07/2013 17:09 userid1 value3 6

so each value counted like the total number of event for that userid,_time

0 Karma

gregbujak
Path Finder

Hi emaccaferri, is there any reason you must use multi value? Would a table result be ok:
23/07/2013 17:09 userdi1 value1 3
23/07/2013 17:09 userdi1 value2 2
...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...