https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223511#M65811 <P>So you need them bounded by intervening, non-matching events? What I mean by that is that you want to not have a transaction cross another item - so an ID4 splits that ID3/name1 into two chunks, the before one and after one. Right?</P> <P>If so, I'd recommend using streamstats to split your events by counting number of distinct IDs in a two-item streamstats group. The short version:</P> <PRE><CODE>... | streamstats window=2 distinct_count(ID) AS splitter| transaction startswith=splitter&gt;1 ID name </CODE></PRE> <P>The longer version: I answered another question a while back with a similar solution that has explanations, so please <A href="https://answers.splunk.com/answers/243789/calculate-transaction-time-for-repeating-events.html#answer-243845">refer to this answer here</A> for more information.</P> <P>Let me know how it goes or if you need help with some tweaking!</P> Tue, 10 Nov 2015 16:12:43 GMT Richfez 2015-11-10T16:12:43Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223507#M65807 <P>Hi,</P> <P>If I have several events like this:</P> <P>ID1 name1 <BR /> ID2 name2 <BR /> ID3 name1 <BR /> ID3 name1 <BR /> ID3 name1 <BR /> ID4 name3 <BR /> ID3 name1 </P> <P>I would like to have the number of successive events by ID and by Name. So it will give me something like this:</P> <P>ID1 name1 1 <BR /> ID2 name2 1<BR /> ID3 name1 3<BR /> ID4 name3 1 <BR /> ID3 name1 1 </P> <P>My problem is with the transaction. It will regroup every identical ID instead of regrouping events that are successive, with the same ID and name.</P> <P>Can someone help me? <BR /> Thanks</P> Tue, 10 Nov 2015 10:25:37 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223507#M65807 chrispappo 2015-11-10T10:25:37Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223508#M65808 <P>anyone can help <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ?</P> Tue, 10 Nov 2015 15:12:44 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223508#M65808 chrispappo 2015-11-10T15:12:44Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223509#M65809 <P>If those have field names of "ID" and "Name", then the simple way would be </P> <PRE><CODE>... | stats count by ID, Name </CODE></PRE> <P>Transaction could be useful in other circumstances (perhaps even on this same data), but isn't probably what you need here.</P> Tue, 10 Nov 2015 15:31:53 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223509#M65809 Richfez 2015-11-10T15:31:53Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223510#M65810 <P>thanks for answering. The problem is with your order the result will be </P> <PRE><CODE>ID1 name1 1 ID2 name2 1 ID3 name1 4 ID4 name3 1 </CODE></PRE> <P>And I want something like </P> <PRE><CODE>ID1 name1 1 ID2 name2 1 ID3 name1 3 ID4 name3 1 ID3 name1 1 </CODE></PRE> <P>as you can see it's different from what I want, i want to count ONLY the following events who own the same ID/NAME!</P> <P>could you help ? </P> Tue, 10 Nov 2015 15:38:03 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223510#M65810 chrispappo 2015-11-10T15:38:03Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223511#M65811 <P>So you need them bounded by intervening, non-matching events? What I mean by that is that you want to not have a transaction cross another item - so an ID4 splits that ID3/name1 into two chunks, the before one and after one. Right?</P> <P>If so, I'd recommend using streamstats to split your events by counting number of distinct IDs in a two-item streamstats group. The short version:</P> <PRE><CODE>... | streamstats window=2 distinct_count(ID) AS splitter| transaction startswith=splitter&gt;1 ID name </CODE></PRE> <P>The longer version: I answered another question a while back with a similar solution that has explanations, so please <A href="https://answers.splunk.com/answers/243789/calculate-transaction-time-for-repeating-events.html#answer-243845">refer to this answer here</A> for more information.</P> <P>Let me know how it goes or if you need help with some tweaking!</P> Tue, 10 Nov 2015 16:12:43 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223511#M65811 Richfez 2015-11-10T16:12:43Z https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223512#M65812 <P>I believe you are looking for the eventstats command <A href="http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/eventstats">http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/eventstats</A></P> <P>In your example, something like this may work..`.. | sort idcolname | eventstats count by idcolname | dedup idcolname</P> <P>If this doesn't give you what you are looking for, try the streamstats command` <A href="http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/streamstats">http://docs.splunk.com/Documentation/Splunk/6.1/SearchReference/streamstats</A></P> Tue, 10 Nov 2015 16:32:43 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-with-count-of-successive-events/m-p/223512#M65812 sundareshr 2015-11-10T16:32:43Z