topic How to edit my search to get the sum of multiple results per transaction_Id? in Splunk Search

How to edit my search to get the sum of multiple results per transaction_Id?

pawnalmighty — Thu, 15 Oct 2015 05:03:48 GMT

index=inctv starttime=10/07/2015:00:00:00 endtime=10/13/2015:00:00:00 (sourcetype="mysource" OperationName="*MyImpl.*" ActivityStep="rs") 
| eval txn_id=if(transaction_id LIKE "[%]", substr(transaction_id, 2, 36) , transaction_id) 
| chart values(Duration) over txn_id by OperationName

This gives me results arranged by transaction Ids like:

Transaction ID     MyImpl.method1()    MyImpl.method2()    MyImpl.method3()
trx_id1                   3                   4                   6
trx_id2                   5                   6                   7
trx_id3                   5                   5                   5

What I want is:

Transaction ID      All MyImpl Calls
trx_id1                    13
trx_id2                    17
trx_id3                    15

I am an absolute beginner in Splunk, so it would be very nice if you could explain what your solution does exactly.

Thanks

Re: How to edit my search to get the sum of multiple results per transaction_Id?

aljohnson_splun — Fri, 16 Oct 2015 16:57:39 GMT

You're really close. I think all you need to do is remove OperationName from your chart command

| chart values(Duration) over txn_id

^ However, looking at your serach, I'm guessing that you actually want to use list(Duration) instead of values(Duration) since it looks like you want to know the value for each and every txn_id regardless of uniqueness. Using values will list the value if it hasn't seen it before (it is a unique list). So for example, if two of your txn_id's had the same value, like 5, you'd only see it listed once from the values() function whereas list() doesn't care and just lists out the values, even if things are repeated.