Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I aggregate information into rows based on a transaction ID?

rpecka
Explorer
‎05-18-2022 12:51 PM

I have events which will all have an ID, stageID, stageDuration, as well as other information.

In the past I've used `chart sum(stageDuration) over ID by stageID` to create stacked bar charts, but now I’m more interested in the table produced by that command. It has a column for ID, then columns for the durations of each of the stageIDs that had the same ID.

I would like to create a similar table except I would like to include additional columns. For example, I would like to conditionally populate a column with event.startTime from the stage foo if the stageID foo exists for an ID.

I don't need to visualization, just the way of forming the table.

It seems like there might be a way to do this with transactions but I haven't been able to figure it out.

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-18-2022 01:52 PM

Try something like this

| eval foostart=if(stageID="foo", 'event.startTime',null())
| stats sum(stageDuration) as stageTotalDuration values(foostart) as foostart by ID stageID
0 Karma
Reply

rpecka
Explorer
‎05-25-2022 04:36 PM

This isn't quite it.

 

When I run the chart command I get this table:

sessionIDstageID1stageID2stageID...
id1998634
id2334522

 

I want the same thing except without the chart and with additional columns populated depending on what the stages are

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-25-2022 11:56 PM

Can you give an example of what you are trying to achieve?

0 Karma
Reply

rpecka
Explorer
‎05-27-2022 02:52 PM

I have events with stageIDs and IDs. I want to create one row for each ID which includes a column for each stageID to indicate whether it has or does not have a corresponding event for that stageID. Then I want to filter for only the rows (IDs) that have stageID=foo present, and then create a pie chart to count the occurrences of each stageID in the rows that remain

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-27-2022 03:02 PM 
| chart count by id stageid
| where foo!=0
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...