topic Re: Search, top, count inside a transaction in Splunk Search

Search, top, count inside a transaction

emaccaferri — Tue, 23 Jul 2013 15:29:54 GMT

Hi!
I would like to know the frequency of each value of a certain field inside a transaction, for example:
my event after transaction (mvlist=t) are

23/07/2013 17:09 userdi1 value1
                 userid1 value2
                 userid1 value1
                 userid1 value3
                 userid1 value2
                 userid1 value1



23/07/2013 14:09 userid2 value2
                     userid2 value2
                     userid2 value2
                     userid2 value3
                     userid2 value2
                     userid2 value3

I wish to get the result:

23/07/2013 17:09 userdi1 value1 3
                         value2 2
                         value3 1

23/07/2013 14:09 userid2 value2 4
                         value3 2

I think to need transaction because in my log I have more than one "event" (section) for the same user.
This search

 index=ing sourcetype=callcenter | transaction maxpause=30m cif mvlist=t | stats count(value) by value

doesn't work.
My impression is that top or something similar inside a transaction without breakink it it impossible.
Any suggestion?
Thanks for your time

Re: Search, top, count inside a transaction

gregbujak — Tue, 23 Jul 2013 17:36:27 GMT

Hi emaccaferri, is there any reason you must use multi value? Would a table result be ok:
23/07/2013 17:09 userdi1 value1 3
23/07/2013 17:09 userdi1 value2 2
...

Re: Search, top, count inside a transaction

ftk — Tue, 23 Jul 2013 17:43:48 GMT

Since the transaction command groups events based on the common identifier and then basically creates a new event containing all of the transaction's events, you can do your counts based on _time (as each transaction will have a unique _time) value.

In your example you could do as follows:

index=ing sourcetype=callcenter | transaction maxpause=30m cif | stats count(value) by _time, cif, value

Which would give you a results set similar to this:

23/07/2013 17:09 userid1 value1 3
23/07/2013 17:09 userid1 value2 2
23/07/2013 17:09 userid1 value3 1

23/07/2013 14:09 userid2 value2 4
23/07/2013 14:09 userid2 value3 2

Each unique value of _time indicates the counts for a single transaction.

Re: Search, top, count inside a transaction

emaccaferri — Wed, 24 Jul 2013 07:24:59 GMT

Can be in this way, the important thing is count number of event with that value

Re: Search, top, count inside a transaction

emaccaferri — Wed, 24 Jul 2013 07:42:07 GMT

This doesn't work either. The result become like
23/07/2013 17:09 userid1 value1 6
23/07/2013 17:09 userid1 value2 6
23/07/2013 17:09 userid1 value3 6

so each value counted like the total number of event for that userid,_time

Re: Search, top, count inside a transaction

ftk — Wed, 24 Jul 2013 13:07:52 GMT

In my answer I assumed that "value" is an extracted field. Is this correct? If it is an extracted field then the search I gave you aggregates the counts fine (I tested it on sample data).

Re: Search, top, count inside a transaction

emaccaferri — Wed, 24 Jul 2013 15:37:03 GMT

Yes, that field is extacted at search-time. But I don't understand, how is it possible that for you is working and not for me? I made copy&paste

Re: Search, top, count inside a transaction

ftk — Wed, 24 Jul 2013 15:42:41 GMT

Do you mind posting a single sample event (before using transaction)? Maybe I am assuming something in my test data that is not present.

Re: Search, top, count inside a transaction

emaccaferri — Fri, 26 Jul 2013 07:12:22 GMT

1003411 27/05/2013 10:40 value1
1003411 27/05/2013 10:41 value1
1003411 27/05/2013 10:43 value2
1008980 27/05/2013 12:21 value1

1008980 27/05/2013 12:21 value2

1008980 27/05/2013 12:21 value3

1008980 27/05/2013 12:21 value2

1008980 27/05/2013 12:23 value3
1008980 27/05/2013 12:23 value3

and so on