Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to perform stats within a transaction?

the_wolverine
Champion
‎10-24-2013 03:23 PM

I have a transaction with multiple values for the same field. Is it possible for me to do a dc(other_field) within a transaction?

My search | transaction same_field maxspan=1m | stats dc(other_field)

Above doesn't seem to work, it just throws away my transactions.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

wpreston
Motivator
‎10-24-2013 06:09 PM

I think mvcount() could be your friend here. Something along these lines:

your search | transaction same_field maxspan=1m | eval same_field_count=mvcount(same_field)

...something like that. same_field_count should be a count of the distinct values of same_field within each transaction. If you want a total count of ALL values of same_field (including duplicates) within each transaction, use the mvlist option within your transaction. I'm not where I can test this search but I think it will be pretty close to what you need.

View solution in original post

Reply
Solved! Jump to solution
Solution

wpreston
Motivator
‎10-24-2013 06:09 PM

I think mvcount() could be your friend here. Something along these lines:

your search | transaction same_field maxspan=1m | eval same_field_count=mvcount(same_field)

...something like that. same_field_count should be a count of the distinct values of same_field within each transaction. If you want a total count of ALL values of same_field (including duplicates) within each transaction, use the mvlist option within your transaction. I'm not where I can test this search but I think it will be pretty close to what you need.

Reply
Solved! Jump to solution

nivedita_viswan
Path Finder
‎05-26-2015 10:08 AM

I dont believe mvcount returns a count of the distinct values. It simply returns a count of the number of values

0 Karma
Reply
Solved! Jump to solution

wpreston
Motivator
‎10-25-2013 06:26 PM

Sure, happy to help!

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎10-25-2013 11:43 AM

Yes! Thank you!!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎10-24-2013 04:37 PM

eventstats perhaps?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...