https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321723#M96117 <P>When you do head that way, check out the March 2016 session from <A href="http://wiki.splunk.com/Virtual_.conf">http://wiki.splunk.com/Virtual_.conf</A> for more.</P> Wed, 22 Feb 2017 23:23:48 GMT martin_mueller 2017-02-22T23:23:48Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321711#M96105 <P>Hey folks,</P> <P>I have two separate searches that work fine and return the expected results. I.e.</P> <P>1 - <BR /> index=blah field1!=this field2!=that field3!=stuff TICKNUM&gt;=1 | bucket span=1d _time |transaction FIELD1 FIELD2 | stats avg(duration) as Avg_Duration by FIELD1 FIELD2 | some more time stuff | table FIELD1 FIELD2 Avg_Duration</P> <P>2-<BR /><BR /> index=blah field1!=this field2!=that field3!=stuff TICKNUM&gt;=1 |stats count by FIELD1 FIELD2</P> <P>When I add the second search as an appendcols I notice that some of the counts are blank / missing. I suspect my appendcols isn't joining properly.. I also tried to create a dummy common field (eval = FIELD1+FIELD2) in both searches in the hope that they would be used as the join but no success..</P> <P>thx!</P> Tue, 29 Sep 2020 13:00:22 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321711#M96105 RocIngersol 2020-09-29T13:00:22Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321712#M96106 <P>Try like this (it can be done via join as well but they are expensive so, try this append-stats alternative of join)</P> <PRE><CODE>index=blah field1!=this field2!=that field3!=stuff TICKNUM&gt;=1 | bucket span=1d _time |transaction FIELD1 FIELD2 | stats avg(duration) as Avg_Duration by FIELD1 FIELD2 | some more time stuff | table FIELD1 FIELD2 Avg_Duration | append [search index=blah field1!=this field2!=that field3!=stuff TICKNUM&gt;=1 |stats count by FIELD1 FIELD2 ] | stats values(*) as * by FIELD1 FIELD2 </CODE></PRE> Tue, 21 Feb 2017 21:50:07 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321712#M96106 somesoni2 2017-02-21T21:50:07Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321713#M96107 <P><CODE>appendcols</CODE> is no <CODE>join</CODE>.</P> <P>Add <CODE>sum(eventcount) as count</CODE> to the first <CODE>stats</CODE> and skip the second search entirely.</P> Tue, 21 Feb 2017 21:51:05 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321713#M96107 martin_mueller 2017-02-21T21:51:05Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321714#M96108 <P>appendcols is no join -&lt; that explains a lot.</P> <P>Re adding that to the first stats? That doesn't work as I need to use by fields later in the search. Using stats there breaks the rest of my search.</P> Tue, 21 Feb 2017 22:26:24 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321714#M96108 RocIngersol 2017-02-21T22:26:24Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321715#M96109 <P>Like this:</P> <PRE><CODE>index=blah field1!=this field2!=that field3!=stuff TICKNUM&gt;=1 | bucket span=1d _time |transaction FIELD1 FIELD2 | stats avg(duration) as Avg_Duration sum(eventcount) as count by FIELD1 FIELD2 | some more time stuff | table FIELD1 FIELD2 Avg_Duration </CODE></PRE> Tue, 21 Feb 2017 22:28:51 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321715#M96109 martin_mueller 2017-02-21T22:28:51Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321716#M96110 <P>Thx. What I'm trying to do is have stats count by FIELD1 FIELD2 appended as a column, seperate to the transaction stuff. Doing the sum(eventcount) is just totalling the bucketed 1d _time buckets, not all the actual occurrences from what I can see.. </P> Wed, 22 Feb 2017 12:57:45 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321716#M96110 RocIngersol 2017-02-22T12:57:45Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321717#M96111 <P>The <CODE>eventcount</CODE> field should have the count of events per transaction, and the sum of that should be your overall count of events. The <CODE>bucket</CODE> shouldn't have any effect because you're not grouping by time in the <CODE>stats</CODE>.</P> Wed, 22 Feb 2017 15:25:47 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321717#M96111 martin_mueller 2017-02-22T15:25:47Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321718#M96112 <P>Trying that --</P> <P>stats avg(duration) as Avg_Duration sum(eventcount) as count by FIELD1 FIELD2 </P> <P>sum(eventcount) is never the sum - it's always the value of event count.... </P> <P>tried a table at the end too. I'll keep poking..</P> Wed, 22 Feb 2017 16:05:18 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321718#M96112 RocIngersol 2017-02-22T16:05:18Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321719#M96113 <P>Sorry - I meant to say (!!) I do a dedupe on _time after my bucket 1d. That explains why sum(event count) doesn't work....</P> Wed, 22 Feb 2017 16:56:05 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321719#M96113 RocIngersol 2017-02-22T16:56:05Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321720#M96114 <P>I see... no way to know what you left out of your question <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> <P>Alternatively, you can do this:</P> <PRE><CODE>... | eventstats count by FIELD1 FIELD2 | ... blah blah dedup whatever ... | stats avg(duration) first(count) by FIELD1 FIELD2 | ... </CODE></PRE> <P>It won't be that efficient, but in the context of <CODE>transaction</CODE> that won't matter much.</P> Wed, 22 Feb 2017 19:18:34 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321720#M96114 martin_mueller 2017-02-22T19:18:34Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321721#M96115 <P>I know - my bad - leaving out a killer _time dedup !! Anyway, eventstats - that worked a charm. Thanks a lot. I should probably drop transaction in favour or stats and eventstats too - but that is for another day <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thx again! R</P> Wed, 22 Feb 2017 22:40:05 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321721#M96115 RocIngersol 2017-02-22T22:40:05Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321722#M96116 <P>Thanks a lot for your comments - your append worked but I opted for the eventstats method instead. Thx!</P> Wed, 22 Feb 2017 22:41:38 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321722#M96116 RocIngersol 2017-02-22T22:41:38Z https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321723#M96117 <P>When you do head that way, check out the March 2016 session from <A href="http://wiki.splunk.com/Virtual_.conf">http://wiki.splunk.com/Virtual_.conf</A> for more.</P> Wed, 22 Feb 2017 23:23:48 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-search-and-appendcols-missing-cols/m-p/321723#M96117 martin_mueller 2017-02-22T23:23:48Z