https://community.splunk.com/t5/Splunk-Search/analyzing-transactions-based-on-the-values-in-the-raw-data/m-p/47652#M11379 <P>What do you get back from your query? Does just <CODE>source=xxxx | transaction user_id keeporphans=f maxspan=-1 maxpause=-1 startswith="BeginTour" endswith="EndTour"</CODE> work?</P> Tue, 04 Sep 2012 15:31:11 GMT dart 2012-09-04T15:31:11Z https://community.splunk.com/t5/Splunk-Search/analyzing-transactions-based-on-the-values-in-the-raw-data/m-p/47651#M11378 <P>Is there anyway to analyze trans data in SplunkStorm?<BR /> Here is what I have:<BR /> transaction is defined by beginTour and EndTour by user_id<BR /> Within a transaction, there could be any number of activties (events) taken by user_id<BR /><BR /> I want to be able to average distinct number of activities by user_id when taking tours ( a user_id may have many transactions/tours, so each transaction having distinct number of activities, then averaging that dc(activites) number accross transactions by user_id).</P> <P>Also, is it possible to calculate the avg time spent on each event by user_id for each tour? <BR /> Is there anyway to define transaction within transaction and be able to add a field to the outer trans for avg inner trans duration?</P> <P>even though the extract caused the fields to be recognized by Splunk and the user_id under interesting fields shows up with 14 values, still when I do the following, it only comes back with user NULL and one avg value. I was hoping to get avg(duration) calculated for each user_id based on the trans duration values:</P> <P>source=xxxx | transaction user_id keeporphans=f maxspan=-1 maxpause=-1 startswith="BeginTour" endswith="EndTour" mvraw=t delim="," mvlist=user_id |<BR /> extract pairdelim=",", kvdelim=":" | stats avg(duration) AS avg_dur by user_id<BR /> Thanks</P> Mon, 28 Sep 2020 12:21:30 GMT https://community.splunk.com/t5/Splunk-Search/analyzing-transactions-based-on-the-values-in-the-raw-data/m-p/47651#M11378 fere 2020-09-28T12:21:30Z https://community.splunk.com/t5/Splunk-Search/analyzing-transactions-based-on-the-values-in-the-raw-data/m-p/47652#M11379 <P>What do you get back from your query? Does just <CODE>source=xxxx | transaction user_id keeporphans=f maxspan=-1 maxpause=-1 startswith="BeginTour" endswith="EndTour"</CODE> work?</P> Tue, 04 Sep 2012 15:31:11 GMT https://community.splunk.com/t5/Splunk-Search/analyzing-transactions-based-on-the-values-in-the-raw-data/m-p/47652#M11379 dart 2012-09-04T15:31:11Z https://community.splunk.com/t5/Splunk-Search/analyzing-transactions-based-on-the-values-in-the-raw-data/m-p/47653#M11380 <P>Found out about mvlist and all the eval functions for mvlist and got it to work.</P> Tue, 11 Sep 2012 17:04:27 GMT https://community.splunk.com/t5/Splunk-Search/analyzing-transactions-based-on-the-values-in-the-raw-data/m-p/47653#M11380 fere 2012-09-11T17:04:27Z