How do you expand multiple fields from a transacti... - Splunk Community

Splunk Search

I'm trying to mvexpand multiple fields from a transaction, particularly a time and uri_path from an Apache-style access log.

I'm trying this out but it does not work correctly, as it duplicates several fields:

eventtype=web_logs_valid user=* uri_path != /server*/*
| eval orig_time = _time
| transaction user useragent
| streamstats count as i
| mvexpand uri
| mvexpand orig_time
| table i orig_time uri

What is the proper way of expanding multiple fields from a transaction?

The "proper" way is to never user transaction at all. Try this:

eventtype=web_logs_valid user=* uri_path != /server*/*
| streamstats window=2 range(_time) AS pause BY user useragent
| streamstats count(eval(pause>300)) AS sessionID by user useragent
| table _time sessionID uri user useragent

Just guessing, but perhaps this will work better.

eventtype=web_logs_valid user=* uri_path != /server*/*
| eval orig_time = _time
| stats values(*) as * by user, useragent
| streamstats count as i
| mvexpand uri
| mvexpand orig_time
| table i orig_time uri

---
If this reply helps you, Karma would be appreciated.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...