Splunk Search

How do you expand multiple fields from a transaction?

Path Finder

I'm trying to mvexpand multiple fields from a transaction, particularly a time and uri_path from an Apache-style access log.

I'm trying this out but it does not work correctly, as it duplicates several fields:

eventtype=web_logs_valid user=* uri_path != /server*/*
| eval orig_time = _time
| transaction user useragent
| streamstats count as i
| mvexpand uri
| mvexpand orig_time
| table i orig_time uri

What is the proper way of expanding multiple fields from a transaction?

0 Karma

Esteemed Legend

The "proper" way is to never user transaction at all. Try this:

eventtype=web_logs_valid user=* uri_path != /server*/*
| streamstats window=2 range(_time) AS pause BY user useragent
| streamstats count(eval(pause>300)) AS sessionID by user useragent
| table _time sessionID uri user useragent
0 Karma

SplunkTrust
SplunkTrust

Just guessing, but perhaps this will work better.

eventtype=web_logs_valid user=* uri_path != /server*/*
| eval orig_time = _time
| stats values(*) as * by user, useragent
| streamstats count as i
| mvexpand uri
| mvexpand orig_time
| table i orig_time uri
---
If this reply helps you, an upvote would be appreciated.
0 Karma