Splunk Search

How to resolve issue with Dynatrace user session query that is retrieving multiple user actions?

sabari80
Explorer

can anyone help me to resolve my issue? here is the query which i am using 

 

index="dynatrace" "userActions{}.name" = "clickonnotes" | table "userActions{}.name","userActions{}.visuallyCompleteTime"

 

output

userActions{}.name userActions{}.visuallyCompleteTime

 
loadingofpage/cc/claimcenter.do
clickonsearch
keypressonc1
clickony3wc25120
clickonnotes
clickonlossdetails
clickonindemnity
9356
516
609
1276
981
1371
392
640
Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| spath userActions{} output=userActions
| mvexpand userActions
| spath input=userActions name
| spath input=userActions visuallyCompleteTime
| where name="clickonnotes"
| table name visuallyCompleteTime

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Are you saying only the "clickonnotes" row should be displayed?  That SPL should work, but Splunk can be finicky about how it handles JSON.  Can you share some events?

---
If this reply helps you, Karma would be appreciated.
0 Karma

sabari80
Explorer

Yes i am looking just one row which is equivalent to 'clickonnotes' user action. 

Here is the event result 

11/3/22
10:58:03.871 PM
{ [-]
   applicationTypeWEB_APPLICATION
   bouncefalse
   browserFamilyMicrosoftEdge
   browserMajorVersionMicrosoftEdge105
   browserTypeDesktopBrowser
   clientTypeDesktopBrowser
   connectionTypeUNKNOWN
   dateProperties: [ [+]
   ]

   doubleProperties: [ [+]
   ]

   duration909842
   endReasonTIMEOUT
   endTime1667514156364
   errors: [ [+]
   ]

   events: [ [+]
   ]

   hasErrorfalse
   hasSessionReplayfalse
   internalUserId16638519974486RHOLEMU15S6B0FVU8SOGH0VFUVLULJ1
   ip10.146.0.241
   longProperties: [ [+]
   ]

   matchingConversionGoals: [ [+]
   ]

   matchingConversionGoalsCount0
   newUserfalse
   numberOfRageClicks0
   numberOfRageTaps0
   osFamilyWindows
   osVersionWindows10
   partNumber0
   screenHeight-1
   screenWidth-1
   startTime1667513246522
   stringProperties: [ [+]
   ]

   syntheticEvents: [ [+]
   ]

   tenantId3905aa6f-4130-439f-b336-dd2af9fa40d4
   totalErrorCount0
   totalLicenseCreditCount1
   userActionCount9
   userActions: [ [+]
   ]

   userExperienceScoreSATISFIED
   userIdMS86601
   userSessionIdKPFWHAWMDNROKALKEGUUEQKFPTQBQDMU-0
   userTypeREAL_USER

}

 

in the user action array has multiple user actions including 'clickonnotes'

 userActionCount: 9
   userActions: [ [-]
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }
     { [+]
     }

   ]

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like this

| spath userActions{} output=userActions
| mvexpand userActions
| spath input=userActions name
| spath input=userActions visuallyCompleteTime
| where name="clickonnotes"
| table name visuallyCompleteTime
0 Karma

sabari80
Explorer

Thanks... its working as expected... did some changes and i am good with it...

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...