Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use transaction command to find the count of users that joined a meeting within a certain time range?

mbuschle
Explorer
‎10-16-2014 09:23 AM

I have a search situation I haven't yet been able to crack. I have two sourcetypes that contain data for Web Conference meeting rooms and users. I'd like to be able to write a search that can tell me how many attendees were in each meeting room. The meeting room data looks like this:

roomid="70c11df5-21fc-4fb4-9b2e-8964a36e3a94" roomname="My Room" servernode="Node1" serverinstance="Instance1" userid="f12345678" roomactive="10/16/2014 12:03:14 PM" roomdormant="10/16/2014 12:06:23 PM"

The users data looks like this:

servernode="Node1" serverinstance="Instance1" roomid="70c11df5-21fc-4fb4-9b2e-8964a36e3a94" roomname="My Room" userid="f87654321" clienttype="web" jointime="10/16/2014 12:03:14 PM" leavetime="10/16/2014 12:03:21 PM"

I have played around with a join, but that doesn't seem to do what I need. I've had limited success with the transaction command but have not found a way to limit the transaction to the correct time frame. Basically, I'd like to know that the user joined the room between the roomactive and roomdormant fields. This is really the only way to get an accurate count, as the meeting rooms can be used multiple times throughout the day.

I've had a bit of success with a search like _ index=confdata sourcetype=Meetings OR sourcetype=MeetingUsers | transaction roomid maxpause=1h_. This does allow me to count the userid fields for each room but doesn't confine the data to the time frame when the room was active. Any help would be greatly appreciated.

Tags (2)
0 Karma
Reply

chanfoli
Builder
‎10-16-2014 11:29 AM

I suggest you look at map.

You could run your search for room data then iterate over the results with map, searching your user data using fields from your room search:

** room search | map search="search index=confdata sourcetype=MeetingUsers | where (jointime>$roomactive$ AND jointime<$roomdormant$)" maxsearches=100**

You may then add on appropriate stats to get what you want, you might want to add some evals with strptime conversions on your time fields so that your comparisons are using epoch times.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...