https://community.splunk.com/t5/Splunk-Search/summarize-transaction-search/m-p/251521#M75163 <P>Right now it does duration/day/user/ComputerName. To change it to duration/day/user, just Remove every occurrence of "ComputerName" in the search. Or, if you need this in addition (both), then just add this to your search:</P> <PRE><CODE>| appendpipe | stats sum(Duration) BY date User </CODE></PRE> <P>To change the date, just add this to the end of the search:</P> <PRE><CODE>| fieldformat date=strftime(date, "%Y-%m-%d") </CODE></PRE> Mon, 21 Mar 2016 14:18:48 GMT woodcock 2016-03-21T14:18:48Z https://community.splunk.com/t5/Splunk-Search/summarize-transaction-search/m-p/251518#M75160 <P>Whats the best way to summarize this data and subsequently search the results? The reason i ask is because the docs mention there is a transaction command that may need to be swapped for an si* command?</P> <P>Here is the full search:</P> <PRE><CODE>index=win sourcetype="WinEventLog:Security" source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success [inputlookup users.csv | stats count by user | table user | rename user as Account_Name] | eval User=if(mvcount(Account_Name)&gt;1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | eval User=lower(User) | search NOT User=*$ | transaction User maxevents=2 startswith="EventCode=4624" endswith="EventCode=4634" maxspan=-1 | convert timeformat="%Y-%m-%d" ctime(_time) AS date | stats sum(duration) As Duration by date, User, ComputerName | eval Duration(M)=round((Duration/60), 0) | table date,User,Duration(M),ComputerName </CODE></PRE> <P>Thanks</P> Thu, 17 Mar 2016 16:29:03 GMT https://community.splunk.com/t5/Splunk-Search/summarize-transaction-search/m-p/251518#M75160 smudge797 2016-03-17T16:29:03Z https://community.splunk.com/t5/Splunk-Search/summarize-transaction-search/m-p/251519#M75161 <P>Avoid <CODE>transaction</CODE> like this:</P> <PRE><CODE>index=win sourcetype="WinEventLog:Security" source="WinEventLog:Security" EventCode=4624 OR EventCode=4634 Account_Name=* action=success [inputlookup users.csv | stats count by user | table user | rename user as Account_Name] | eval User=if(mvcount(Account_Name)&gt;1, mvindex(Account_Name,1), mvindex(Account_Name, 0)) | eval User=lower(User) | search NOT User=*$ | streamstats current=t count(eval(EventCode=4634)) AS SessionID BY User ComputerName | stats earliest(_time) AS date latest(_time) AS latest BY User ComputerName SessionID | eval Duration=latest - date | bucket date span=1d | stats sum(Duration) AS Duration BY date User ComputerName | eval Duration(M)=round((Duration/60), 0) | table date User Duration(M) ComputerName </CODE></PRE> Sun, 20 Mar 2016 23:26:52 GMT https://community.splunk.com/t5/Splunk-Search/summarize-transaction-search/m-p/251519#M75161 woodcock 2016-03-20T23:26:52Z https://community.splunk.com/t5/Splunk-Search/summarize-transaction-search/m-p/251520#M75162 <P>That's cool and runs quicker.<BR /> Can date be converted as it was?</P> <P>| convert timeformat="%Y-%m-%d" ctime(_time) AS date </P> <P>Also there a way to Aggregate the number of events per day/ per user?</P> <P>Thanks!</P> Mon, 21 Mar 2016 09:47:03 GMT https://community.splunk.com/t5/Splunk-Search/summarize-transaction-search/m-p/251520#M75162 smudge797 2016-03-21T09:47:03Z https://community.splunk.com/t5/Splunk-Search/summarize-transaction-search/m-p/251521#M75163 <P>Right now it does duration/day/user/ComputerName. To change it to duration/day/user, just Remove every occurrence of "ComputerName" in the search. Or, if you need this in addition (both), then just add this to your search:</P> <PRE><CODE>| appendpipe | stats sum(Duration) BY date User </CODE></PRE> <P>To change the date, just add this to the end of the search:</P> <PRE><CODE>| fieldformat date=strftime(date, "%Y-%m-%d") </CODE></PRE> Mon, 21 Mar 2016 14:18:48 GMT https://community.splunk.com/t5/Splunk-Search/summarize-transaction-search/m-p/251521#M75163 woodcock 2016-03-21T14:18:48Z