https://community.splunk.com/t5/Splunk-Search/Counting-a-field-for-number-of-messages-per-unique-value/m-p/70735#M17719 <P>You don't say where in the process you're stuck, but in this answer I'm assuming the following:</P> <UL> <LI>The unique identifier is present in all points 1-4 so that they can be identified correctly.</LI> <LI>The unique identifier is extracted to some field in Splunk (let's call it <CODE>txnid</CODE> in this example)</LI> </UL> <P>If you've got that far, this is my suggestion on how to proceed. Run <CODE>transaction</CODE> to group the events together. <CODE>transaction</CODE> will, among other things it does, create two fields called <CODE>eventcount</CODE> and <CODE>duration</CODE>. <CODE>eventcount</CODE> is exactly what it says - the number of events in each transaction. So you could build your transactions, then check which ones don't have exactly 4 events in them, and the ones that do have it. This can then be used in your stats calculation.</P> <PRE><CODE>... | transaction txnid | stats dc(txnid) as total_txn_count, count(eval(eventcount=4)) as txn_success, count(eval(eventcount!=4)) as txn_fail </CODE></PRE> Tue, 25 Sep 2012 22:17:02 GMT Ayn 2012-09-25T22:17:02Z https://community.splunk.com/t5/Splunk-Search/Counting-a-field-for-number-of-messages-per-unique-value/m-p/70734#M17718 <P>I have transactions being logged to Splunk, but I get multiple messages per transaction.<BR /> We are in the middle tier and the 4 messages are as follows:<BR /> Point 1 - We receive a request from a requester with a unique identifier.<BR /> Point 2 - We send the request to a backend system<BR /> Point 3 - We receive a response from a backend system<BR /> Point 4 - We send the response to the requester.</P> <P>Having all 4 points would indicate a successful transaction. If we don't get all 4 points, then it is a failed request. What I've got is the count of the points based on unique identifier, but I need a Total Count of transaction (total # of unique IDs), count of Success and count of failures.</P> <P>Thanks in advance for your help.</P> Tue, 25 Sep 2012 21:18:10 GMT https://community.splunk.com/t5/Splunk-Search/Counting-a-field-for-number-of-messages-per-unique-value/m-p/70734#M17718 sysprg1 2012-09-25T21:18:10Z https://community.splunk.com/t5/Splunk-Search/Counting-a-field-for-number-of-messages-per-unique-value/m-p/70735#M17719 <P>You don't say where in the process you're stuck, but in this answer I'm assuming the following:</P> <UL> <LI>The unique identifier is present in all points 1-4 so that they can be identified correctly.</LI> <LI>The unique identifier is extracted to some field in Splunk (let's call it <CODE>txnid</CODE> in this example)</LI> </UL> <P>If you've got that far, this is my suggestion on how to proceed. Run <CODE>transaction</CODE> to group the events together. <CODE>transaction</CODE> will, among other things it does, create two fields called <CODE>eventcount</CODE> and <CODE>duration</CODE>. <CODE>eventcount</CODE> is exactly what it says - the number of events in each transaction. So you could build your transactions, then check which ones don't have exactly 4 events in them, and the ones that do have it. This can then be used in your stats calculation.</P> <PRE><CODE>... | transaction txnid | stats dc(txnid) as total_txn_count, count(eval(eventcount=4)) as txn_success, count(eval(eventcount!=4)) as txn_fail </CODE></PRE> Tue, 25 Sep 2012 22:17:02 GMT https://community.splunk.com/t5/Splunk-Search/Counting-a-field-for-number-of-messages-per-unique-value/m-p/70735#M17719 Ayn 2012-09-25T22:17:02Z https://community.splunk.com/t5/Splunk-Search/Counting-a-field-for-number-of-messages-per-unique-value/m-p/70736#M17720 <P>That worked perfectly. Thanks.</P> Wed, 26 Sep 2012 13:00:18 GMT https://community.splunk.com/t5/Splunk-Search/Counting-a-field-for-number-of-messages-per-unique-value/m-p/70736#M17720 sysprg1 2012-09-26T13:00:18Z