Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use transaction command to find the count of users that joined a meeting within a certain time range?

mbuschle
Explorer
‎10-16-2014 09:23 AM

I have a search situation I haven't yet been able to crack. I have two sourcetypes that contain data for Web Conference meeting rooms and users. I'd like to be able to write a search that can tell me how many attendees were in each meeting room. The meeting room data looks like this:

roomid="70c11df5-21fc-4fb4-9b2e-8964a36e3a94" roomname="My Room" servernode="Node1" serverinstance="Instance1" userid="f12345678" roomactive="10/16/2014 12:03:14 PM" roomdormant="10/16/2014 12:06:23 PM"

The users data looks like this:

servernode="Node1" serverinstance="Instance1" roomid="70c11df5-21fc-4fb4-9b2e-8964a36e3a94" roomname="My Room" userid="f87654321" clienttype="web" jointime="10/16/2014 12:03:14 PM" leavetime="10/16/2014 12:03:21 PM"

I have played around with a join, but that doesn't seem to do what I need. I've had limited success with the transaction command but have not found a way to limit the transaction to the correct time frame. Basically, I'd like to know that the user joined the room between the roomactive and roomdormant fields. This is really the only way to get an accurate count, as the meeting rooms can be used multiple times throughout the day.

I've had a bit of success with a search like _ index=confdata sourcetype=Meetings OR sourcetype=MeetingUsers | transaction roomid maxpause=1h_. This does allow me to count the userid fields for each room but doesn't confine the data to the time frame when the room was active. Any help would be greatly appreciated.

Tags (2)
0 Karma
Reply

chanfoli
Builder
‎10-16-2014 11:29 AM

I suggest you look at map.

You could run your search for room data then iterate over the results with map, searching your user data using fields from your room search:

** room search | map search="search index=confdata sourcetype=MeetingUsers | where (jointime>$roomactive$ AND jointime<$roomdormant$)" maxsearches=100**

You may then add on appropriate stats to get what you want, you might want to add some evals with strptime conversions on your time fields so that your comparisons are using epoch times.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...