I have a number of events, correlated in a transaction by a field called distinct_id. The typical transaction setup is:
type=client
| transaction distinct_id startswith="visit" maxpause=30m
Now, what I want to know is the number of events within the transaction that match some particular search for example, lets say event=='pageView'
. The following does accomplish what I want:
type=client
| eval matchesSearch=if(event=="pageView", random(), NULL)
| transaction distinct_id startswith="visit" maxpause=30m
| eval numberMatches=mvcount(matchesSearch)
But it hardly seems like the best way. I'm wondering if there is a better way to do this.
*To be clear, the searches in question are far more complicated than this, just wanted to simplify it for example.
Other option.
After making the transaction you can extract a multivarible field that contains all the matches to finally sum the number of items in it.
index=webnavigation
| transaction maxspan=24h maxpause=30m cs_username
| rex max_match=0 "pageview(?
| eval countPV = mvcount(PV) <- count the mv items
| stats sum(countPV) as PageViews. <- sum of pageviews on transactions
You can try both to see which is more efficient
I think eventcount
may be what you are looking for. From http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Transaction.
The transaction command produces two fields, duration and eventcount. The duration value is the difference between the timestamps for the first and last events in the transaction. The eventcount value is the number of events in the transaction.
The thing is, once you've run transaction
it becomes harder to talk about individual events because you just effectively removed the individual events and replaced them with the combined events created by transaction
. So off the top of my head I don't know of a better way of doing this than what you're already doing.