Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

stats on transaction

psobisch
Path Finder
‎01-17-2014 12:40 AM

Hello,

I wonder about how can I do stats operation like counting of something inside of a transaction?

I have a transaction including multiple events of the same kind (or multiple kinds), I would like to make a table, listing all the transactions including the count of certain events.

Do you have any hints?

Regards,
Peter

Tags (2)
0 Karma
Reply

mstark31
Path Finder
‎05-18-2017 11:51 AM

If this is something you can accomplish with stats and not transaction, I've found a way to do it.
It appears that psobisch's original problem was solved, but in case anyone lands here from a search like I did, here you go.

Let's say I have a dataset that records every time an Animal eats a certain type of Food. Multiple Animals eat multiple types of Food.
My first search to make a full list of each time an Animal eats Food was this:

index=animalfood
| transaction Animal mvlist=t
| table *

Then, I wanted to count and list, by Animal, how many times they ate each kind of food. Keeping the multivalue format was important - I only wanted each Animal listed once.

I was able to uses stats twice to accomplish what I wanted.

index=animalfood
| stats count by Animal, Food
| stats list(Food) list(count) by Animal

The first stats creates the Animal, Food, count pairs.
The second stats creates the multivalue table associating the Food, count pairs to each Animal.

Reply

DalJeanis
Legend
‎05-18-2017 01:41 PM

Correct. It's best to avoid transaction when you can. It is very resource intensive, and easy to have problems with.

To relate the values to each other, and to get a sum of how many total times the Animal ate, you could also break it out like this...

 index=animalfood
 | stats count as mycount by Animal, Food
 | eval foodcount=Food."=".mycount
 | stats values(foodcount) as FoodDetails, dc(Food) as FoodTypeCount, sum(mycount) as MealCount  by Animal
0 Karma
Reply

mstark31
Path Finder
‎05-18-2017 02:20 PM

Different approach - but cool way to solve the problem.
Also works.

I've also done a chart variation with 

index=animalfood
| chart count by Animal, Food limit=0
0 Karma
Reply

Ayn
Legend
‎01-17-2014 01:55 AM

The thing about transaction is that it removes the individual events, so since the concepts of the previously existing individual events is gone it's tricky to do stats "per event". You could either calculate your statistics before running transaction, or you could use eval functions like mvcount for getting counts within multivalued fields that are created as part of the transaction. It's hard to give more specific advice without knowing more about your exact scenario.

Reply

psobisch
Path Finder
‎01-23-2014 12:08 AM

ok thanks, that's what I did now.
Works well, but I would like to have searches which are not so extensive.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...