https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104623#M22030 <P>I am using the Google Analytics Data Export API to pull some data down into a log file so it can be indexed by splunk. Data is printed out in the following format:</P> <P>ga:eventCategory=ViewChange | ga:eventAction=Grid ga:totalEvents=6 ga:uniqueEvents=2<BR /><BR /> ga:eventCategory=SessionEvent | ga:eventAction=UserLogin ga:totalEvents=13 ga:uniqueEvents=9 </P> <P>My search for counting logins is:</P> <P>source="googleanalytics.txt" "ga:eventCategory=SessionEvent | ga:eventAction=UserLogin" | extract kvdelim="=" | timechart span=1d sum(totalEvents) as "Total Logins", sum(uniqueEvents) as "Unique Logins"</P> <P>The problem is that the search is taking the first occurrence of ga:totalEvents, regardless of if it is a UserLogin event or not. </P> <P>Edit: To be more clear, for the above example the timechart displays 6 total, 2 unique logins instead of the expected 13 total, 9 unique. The pipe inside the quotes is read as a search character, but I have removed it just to make sure, am seeing the same result when just searching for "ga:eventAction=UserLogin"</P> Fri, 04 Nov 2011 21:46:42 GMT crobicha 2011-11-04T21:46:42Z https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104623#M22030 <P>I am using the Google Analytics Data Export API to pull some data down into a log file so it can be indexed by splunk. Data is printed out in the following format:</P> <P>ga:eventCategory=ViewChange | ga:eventAction=Grid ga:totalEvents=6 ga:uniqueEvents=2<BR /><BR /> ga:eventCategory=SessionEvent | ga:eventAction=UserLogin ga:totalEvents=13 ga:uniqueEvents=9 </P> <P>My search for counting logins is:</P> <P>source="googleanalytics.txt" "ga:eventCategory=SessionEvent | ga:eventAction=UserLogin" | extract kvdelim="=" | timechart span=1d sum(totalEvents) as "Total Logins", sum(uniqueEvents) as "Unique Logins"</P> <P>The problem is that the search is taking the first occurrence of ga:totalEvents, regardless of if it is a UserLogin event or not. </P> <P>Edit: To be more clear, for the above example the timechart displays 6 total, 2 unique logins instead of the expected 13 total, 9 unique. The pipe inside the quotes is read as a search character, but I have removed it just to make sure, am seeing the same result when just searching for "ga:eventAction=UserLogin"</P> Fri, 04 Nov 2011 21:46:42 GMT https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104623#M22030 crobicha 2011-11-04T21:46:42Z https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104624#M22031 <P>You must have mispasted your search - the "|ga:eventAction" would be a syntax error as Splunk would try to interpret that as a search command. Please check.</P> Sat, 05 Nov 2011 08:47:33 GMT https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104624#M22031 Ayn 2011-11-05T08:47:33Z https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104625#M22032 <P>Why don't you try this instead:</P> <P>source="googleanalytics.txt" (ga:eventCategory="SessionEvent" OR ga:eventAction="UserLogin") | extract kvdelim="=" | timechart span=1d sum(totalEvents) as "Total Logins", sum(uniqueEvents) as "Unique Logins"</P> Sun, 06 Nov 2011 21:17:19 GMT https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104625#M22032 tgow 2011-11-06T21:17:19Z https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104626#M22033 <P>I've run this in the search window and it does work, because it is in quotes splunk must recognize that it is a literal string and not a pipe</P> Mon, 07 Nov 2011 15:39:59 GMT https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104626#M22033 crobicha 2011-11-07T15:39:59Z https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104627#M22034 <P>I may switch to this syntax since it is more clear and doesn't use the pipe, but this doesn't fix my issue.</P> Mon, 07 Nov 2011 15:49:40 GMT https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104627#M22034 crobicha 2011-11-07T15:49:40Z https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104628#M22035 <P>I ended up using a regex after spending way too much time messing with sourcetypes and props.conf, this is my final search:</P> <P>source="googleanalytics.txt" "ga:eventCategory=SessionEvent | ga:eventAction=UserLogin" | rex field=_raw "ga:eventAction=UserLogin[\s]<EM>ga:totalEvents=(?<TOTALEVENTS>.</TOTALEVENTS></EM>)[\s]<EM>ga:uniqueEvents=(?<UNIQUEEVENTS>.</UNIQUEEVENTS></EM>)" | eval _time = _time - 172800 | timechart span=1d sum(totalEvents) as "Total Logins", sum(uniqueEvents) as "Unique Logins"</P> <P>The eval _time statement is because I haven't gotten splunk to pick up the timestamp in the log file properly, instead it timestamps the date when the script is run. GA data isnt guaranteed accurate until 48 hours later so the script pulls from the 24 period starting 3 days ago.</P> Fri, 18 Nov 2011 17:10:36 GMT https://community.splunk.com/t5/Getting-Data-In/Search-reads-first-event-instead-of-desired-event/m-p/104628#M22035 crobicha 2011-11-18T17:10:36Z