How do you expand multiple fields from a transacti...

khevans · ‎07-12-2019

I'm trying to mvexpand multiple fields from a transaction, particularly a time and uri_path from an Apache-style access log.

I'm trying this out but it does not work correctly, as it duplicates several fields:

eventtype=web_logs_valid user=* uri_path != /server*/*
| eval orig_time = _time
| transaction user useragent
| streamstats count as i
| mvexpand uri
| mvexpand orig_time
| table i orig_time uri

What is the proper way of expanding multiple fields from a transaction?

woodcock · ‎07-15-2019

The "proper" way is to never user transaction at all. Try this:

eventtype=web_logs_valid user=* uri_path != /server*/*
| streamstats window=2 range(_time) AS pause BY user useragent
| streamstats count(eval(pause>300)) AS sessionID by user useragent
| table _time sessionID uri user useragent

richgalloway · ‎07-13-2019

Just guessing, but perhaps this will work better.

eventtype=web_logs_valid user=* uri_path != /server*/*
| eval orig_time = _time
| stats values(*) as * by user, useragent
| streamstats count as i
| mvexpand uri
| mvexpand orig_time
| table i orig_time uri

---
If this reply helps you, Karma would be appreciated.

How do you expand multiple fields from a transaction?

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Are you a member of the Splunk Community?

How do you expand multiple fields from a transaction?

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ