Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use transaction command to find the count of users that joined a meeting within a certain time range?

mbuschle
Explorer
‎10-16-2014 09:23 AM

I have a search situation I haven't yet been able to crack. I have two sourcetypes that contain data for Web Conference meeting rooms and users. I'd like to be able to write a search that can tell me how many attendees were in each meeting room. The meeting room data looks like this:

roomid="70c11df5-21fc-4fb4-9b2e-8964a36e3a94" roomname="My Room" servernode="Node1" serverinstance="Instance1" userid="f12345678" roomactive="10/16/2014 12:03:14 PM" roomdormant="10/16/2014 12:06:23 PM"

The users data looks like this:

servernode="Node1" serverinstance="Instance1" roomid="70c11df5-21fc-4fb4-9b2e-8964a36e3a94" roomname="My Room" userid="f87654321" clienttype="web" jointime="10/16/2014 12:03:14 PM" leavetime="10/16/2014 12:03:21 PM"

I have played around with a join, but that doesn't seem to do what I need. I've had limited success with the transaction command but have not found a way to limit the transaction to the correct time frame. Basically, I'd like to know that the user joined the room between the roomactive and roomdormant fields. This is really the only way to get an accurate count, as the meeting rooms can be used multiple times throughout the day.

I've had a bit of success with a search like _ index=confdata sourcetype=Meetings OR sourcetype=MeetingUsers | transaction roomid maxpause=1h_. This does allow me to count the userid fields for each room but doesn't confine the data to the time frame when the room was active. Any help would be greatly appreciated.

Tags (2)
0 Karma
Reply

chanfoli
Builder
‎10-16-2014 11:29 AM

I suggest you look at map.

You could run your search for room data then iterate over the results with map, searching your user data using fields from your room search:

** room search | map search="search index=confdata sourcetype=MeetingUsers | where (jointime>$roomactive$ AND jointime<$roomdormant$)" maxsearches=100**

You may then add on appropriate stats to get what you want, you might want to add some evals with strptime conversions on your time fields so that your comparisons are using epoch times.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top