Splunk Search

How to write a search to count variations (different order and number) of transaction events?

adamguzek
Explorer

I need a search to count variations of event occurance. Lets say we have events:
A,B,C,D,E which are combined into transaction by sessionid.
Event A is a start
Event E is an end.

In time, I have to search for transactions which have a different order and number of middle steps:
ABCDE
ACBDE
ABCDBCDE
and so on...

I need a stats count how many all of variations have occurred... I cannot predict all of the possible variations as steps are repeating between start and stop.

I need a table:
VARIANT - COUNT
ABCDE - 10
ABBE - 3
etc...

Any useful searches/commands I can try?

0 Karma

HiroshiSatoh
Champion

Try this!

your search | transaction  startswith=A endswith=E|eval VARIANT=mvjoin(event, "-")|stats count by VARIANT
0 Karma

woodcock
Esteemed Legend
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...