Splunk Search
Highlighted

Counting Number of Events Matching Search in a Transaction

New Member

I have a number of events, correlated in a transaction by a field called distinct_id. The typical transaction setup is:

type=client 
| transaction distinct_id startswith="visit" maxpause=30m

Now, what I want to know is the number of events within the transaction that match some particular search for example, lets say event=='pageView'. The following does accomplish what I want:

type=client 
| eval matchesSearch=if(event=="pageView", random(), NULL) 
| transaction distinct_id startswith="visit" maxpause=30m 
| eval numberMatches=mvcount(matchesSearch)

But it hardly seems like the best way. I'm wondering if there is a better way to do this.

*To be clear, the searches in question are far more complicated than this, just wanted to simplify it for example.

Tags (2)
0 Karma
Highlighted

Re: Counting Number of Events Matching Search in a Transaction

Legend

The thing is, once you've run transaction it becomes harder to talk about individual events because you just effectively removed the individual events and replaced them with the combined events created by transaction. So off the top of my head I don't know of a better way of doing this than what you're already doing.

0 Karma
Highlighted

Re: Counting Number of Events Matching Search in a Transaction

Explorer

I think eventcount may be what you are looking for. From http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Transaction.

The transaction command produces two fields, duration and eventcount. The duration value is the difference between the timestamps for the first and last events in the transaction. The eventcount value is the number of events in the transaction.

Highlighted

Re: Counting Number of Events Matching Search in a Transaction

Communicator

Other option.

After making the transaction you can extract a multivarible field that contains all the matches to finally sum the number of items in it.

index=webnavigation
| transaction maxspan=24h maxpause=30m csusername
| rex max
match=0 "pageview(?.)" <-- just to extract every match on individual events
| eval countPV = mvcount(PV) <- count the mv items
| stats sum(countPV) as PageViews. <- sum of pageviews on transactions

You can try both to see which is more efficient

0 Karma