Splunk Search
Highlighted

How to count the occurrence of a field/string per transaction for events grouped with the transaction command?

New Member

I have custom log file in which we all logging various activities in a transaction context (correlation ID). In this particular case, we have a Rest Search to get price detail. Service accept 1 or more (can go to several thousand) SKUs and return price either from cache, or DB. log is generated for each SKU.

I have grouped all events using transaction command using the CorrelationId field. How do I count the number of cache hit or miss perc all.

Tried below, but this did not give me the answer:

index=pii sourcetype=pii:runway:service-log host=price-PriceService-prod* | transaction CorrelationId maxspan=15s | stats count(eval(SkuPriceCache="Hit")), count(eval(SkuPriceCache="Miss")) by CorrelationId

I can see eventocunt over 1000, but cachehit or miss is never more than 10 in this case.

0 Karma
Highlighted

Re: How to count the occurrence of a field/string per transaction for events grouped with the transaction command?

SplunkTrust
SplunkTrust

Could you please provide a sample event or two, and/or a sample of the output of the search you already have?

Thanks!

0 Karma
Highlighted

Re: How to count the occurrence of a field/string per transaction for events grouped with the transaction command?

SplunkTrust
SplunkTrust

How about this?

index=pii sourcetype=pii:runway:service-log host=price-PriceService-prod* 
| eval hit=if(SkuPriceCache="Hit",1,hit) 
| eval miss=if(SkuPriceCache="Miss",1,miss)
| transaction CorrelationId maxspan=15s 
| stats count(hit) count(miss) by CorrelationId

Of maybe like this:

index=pii sourcetype=pii:runway:service-log host=price-PriceService-prod* 
| transaction CorrelationId maxspan=15s 
| eval hit=if(match(_raw,".*Hit.*"),1,hit) 
| eval miss=if(match(_raw",".*Miss.*"),1,miss)
| stats count(hit) count(miss) by CorrelationId

View solution in original post

0 Karma
Highlighted

Re: How to count the occurrence of a field/string per transaction for events grouped with the transaction command?

New Member

I used transaction CorrelationID

0 Karma
Highlighted

Re: How to count the occurrence of a field/string per transaction for events grouped with the transaction command?

Legend

Try this

index=pii sourcetype=pii:runway:service-log host=price-PriceService-prod* | chart count over  SkuPriceCache by CorrelationId

*OR*

    index=pii sourcetype=pii:runway:service-log host=price-PriceService-prod* | chart dc(CorrelationId)  as dc over  SkuPriceCache by CorrelationId | fields - dc
0 Karma