https://community.splunk.com/t5/Splunk-Search/How-to-split-and-filter-transaction-events/m-p/269586#M81113 <P>We have denormalized some JSON events into CSV. The events themselves have simple fields (in the example data, <EM>id</EM>), and two arrays of objects (in the example data, <EM>foos</EM> and <EM>bars</EM>), and so the CSV equivalent will have all top-level fields on each row, and then either the first object type or second populated, with the other left empty. Below is 5 sample events in both CSV and JSON (sample events are highly truncated for brevity).<BR /> <STRONG>JSON:</STRONG></P> <PRE><CODE>{ "id":1, "foos":[ { "fooval":"a", "footype":"red" }, { "fooval":"b", "footype":"red" }, { "fooval":"a", "footype":"red" }, { "fooval":"a", "footype":"green" } ], "bars":[ { "barval":"x" }, { "barval":"y" } ] } { "id":2, "foos":[ { "fooval":"a", "footype":"red" }, { "fooval":"c", "footype":"red" } ], "bars":[ { "barval":"z" } ] } { "id":3, "foos":[ { "fooval":"c", "footype":"green" }, { "fooval":"d", "footype":"green" } ], "bars":[ { "barval":"y" } ] } { "id":4, "foos":[ { "fooval":"a", "footype":"red" }, { "fooval":"c", "footype":"red" } ], "bars":[ { "barval":"y" } ] } { "id":5, "foos":[ { "fooval":"d", "footype":"red" }, { "fooval":"d", "footype":"red" }, { "fooval":"d", "footype":"red" }, { "fooval":"d", "footype":"green" } ], "bars":[ { "barval":"y" } ] } </CODE></PRE> <P><STRONG>CSV:</STRONG></P> <PRE><CODE>id,fooval,footype,barval 1,a,red, 1,b,red, 1,a,red, 1,a,green, 1,,,x 1,,,y 2,a,red, 2,c,red, 2,,,z 3,c,green, 3,d,green, 3,,,y 4,a,red, 4,c,red, 4,,,y 5,d,red, 5,d,red, 5,d,red, 5,d,green, 5,,,y </CODE></PRE> <P>The type of questions that we're struggling with are ones where we need to filter by a value contained in one object array, and then do something else like count the values of the second object array. So using this data, a question we would like to answer is: <EM>get the count of unique fooval's for all events where there is a barval of 'y', and where the foo object has a footype of 'red'</EM><BR /> For our sample data the expected answer would be</P> <PRE><CODE>fooval count a 3 b 1 c 1 d 3 </CODE></PRE> <P><EM>(a would match for id 1 twice and id 4 once, b once for id 1, c once for id 4, and d three times for id 5)</EM></P> <P>Since we need to filter the search by barval, which is never present in any rows that have a foo object, we have attempted the solution using the transaction command. A simple attempt to do so looks like this</P> <PRE><CODE>search | transaction id | search barval=y footype=red | top fooval </CODE></PRE> <P>However, the result here <EM>(a:2, b:1, c:1, d:1)</EM> is only a count of the transacted events where these fields exist, not a unique filterer count.<BR /> What gets us much closer is when we use the transaction option mvlist=true</P> <PRE><CODE>index=search_trouble sourcetype=search_trouble_csv | transaction id mvlist=true | search barval=y footype=red | top fooval | where fooval!="NULL" </CODE></PRE> <P>However this now gives us (<EM>a:4, b:1, c:1, d:4</EM>), which is because we're still counting the foo objects where footype=red.<BR /> Ideally I think we'd want to split the transaction back into events and apply another filter on footype, although attempts at this have failed (we tried using mvraw=true as well).</P> <P>Any insights would be appreciated, thanks!</P> Thu, 04 Feb 2016 20:33:32 GMT kevin_telford 2016-02-04T20:33:32Z https://community.splunk.com/t5/Splunk-Search/How-to-split-and-filter-transaction-events/m-p/269586#M81113 <P>We have denormalized some JSON events into CSV. The events themselves have simple fields (in the example data, <EM>id</EM>), and two arrays of objects (in the example data, <EM>foos</EM> and <EM>bars</EM>), and so the CSV equivalent will have all top-level fields on each row, and then either the first object type or second populated, with the other left empty. Below is 5 sample events in both CSV and JSON (sample events are highly truncated for brevity).<BR /> <STRONG>JSON:</STRONG></P> <PRE><CODE>{ "id":1, "foos":[ { "fooval":"a", "footype":"red" }, { "fooval":"b", "footype":"red" }, { "fooval":"a", "footype":"red" }, { "fooval":"a", "footype":"green" } ], "bars":[ { "barval":"x" }, { "barval":"y" } ] } { "id":2, "foos":[ { "fooval":"a", "footype":"red" }, { "fooval":"c", "footype":"red" } ], "bars":[ { "barval":"z" } ] } { "id":3, "foos":[ { "fooval":"c", "footype":"green" }, { "fooval":"d", "footype":"green" } ], "bars":[ { "barval":"y" } ] } { "id":4, "foos":[ { "fooval":"a", "footype":"red" }, { "fooval":"c", "footype":"red" } ], "bars":[ { "barval":"y" } ] } { "id":5, "foos":[ { "fooval":"d", "footype":"red" }, { "fooval":"d", "footype":"red" }, { "fooval":"d", "footype":"red" }, { "fooval":"d", "footype":"green" } ], "bars":[ { "barval":"y" } ] } </CODE></PRE> <P><STRONG>CSV:</STRONG></P> <PRE><CODE>id,fooval,footype,barval 1,a,red, 1,b,red, 1,a,red, 1,a,green, 1,,,x 1,,,y 2,a,red, 2,c,red, 2,,,z 3,c,green, 3,d,green, 3,,,y 4,a,red, 4,c,red, 4,,,y 5,d,red, 5,d,red, 5,d,red, 5,d,green, 5,,,y </CODE></PRE> <P>The type of questions that we're struggling with are ones where we need to filter by a value contained in one object array, and then do something else like count the values of the second object array. So using this data, a question we would like to answer is: <EM>get the count of unique fooval's for all events where there is a barval of 'y', and where the foo object has a footype of 'red'</EM><BR /> For our sample data the expected answer would be</P> <PRE><CODE>fooval count a 3 b 1 c 1 d 3 </CODE></PRE> <P><EM>(a would match for id 1 twice and id 4 once, b once for id 1, c once for id 4, and d three times for id 5)</EM></P> <P>Since we need to filter the search by barval, which is never present in any rows that have a foo object, we have attempted the solution using the transaction command. A simple attempt to do so looks like this</P> <PRE><CODE>search | transaction id | search barval=y footype=red | top fooval </CODE></PRE> <P>However, the result here <EM>(a:2, b:1, c:1, d:1)</EM> is only a count of the transacted events where these fields exist, not a unique filterer count.<BR /> What gets us much closer is when we use the transaction option mvlist=true</P> <PRE><CODE>index=search_trouble sourcetype=search_trouble_csv | transaction id mvlist=true | search barval=y footype=red | top fooval | where fooval!="NULL" </CODE></PRE> <P>However this now gives us (<EM>a:4, b:1, c:1, d:4</EM>), which is because we're still counting the foo objects where footype=red.<BR /> Ideally I think we'd want to split the transaction back into events and apply another filter on footype, although attempts at this have failed (we tried using mvraw=true as well).</P> <P>Any insights would be appreciated, thanks!</P> Thu, 04 Feb 2016 20:33:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-and-filter-transaction-events/m-p/269586#M81113 kevin_telford 2016-02-04T20:33:32Z https://community.splunk.com/t5/Splunk-Search/How-to-split-and-filter-transaction-events/m-p/269587#M81114 <P>Hi,</P> <P>This is what I've done (simply replace my inputcsv with your "index=search_trouble sourcetype=search_trouble_csv")</P> <PRE><CODE>| inputcsv mycsv.csv | eval foovaltype = fooval . "::" . footype | stats list(foovaltype) as foovaltype, list(barval) as barval by id | mvexpand barval | mvexpand foovaltype | eval temp = split(foovaltype,"::") | eval fooval = mvindex(temp,0) | eval footype = mvindex(temp,1) | fields - temp, foovaltype | stats count by fooval | search barval=y footype=red </CODE></PRE> <P>And the output is:</P> <PRE><CODE>fooval count a 3 b 1 c 1 d 3 </CODE></PRE> Tue, 29 Sep 2020 08:40:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-and-filter-transaction-events/m-p/269587#M81114 javiergn 2020-09-29T08:40:33Z https://community.splunk.com/t5/Splunk-Search/How-to-split-and-filter-transaction-events/m-p/269588#M81115 <P>Very cool, thank you. I always forget about stats list. I had to change the order of the last two commands and search then stats count, but otherwise works like a charm. Thanks again.</P> Fri, 05 Feb 2016 17:43:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-split-and-filter-transaction-events/m-p/269588#M81115 kevin_telford 2016-02-05T17:43:47Z