I need a search to count variations of event occurance. Lets say we have events:
A,B,C,D,E which are combined into transaction by sessionid.
Event A is a start
Event E is an end.
In time, I have to search for transactions which have a different order and number of middle steps:
ABCDE
ACBDE
ABCDBCDE
and so on...
I need a stats count how many all of variations have occurred... I cannot predict all of the possible variations as steps are repeating between start and stop.
I need a table:
VARIANT - COUNT
ABCDE - 10
ABBE - 3
etc...
Any useful searches/commands I can try?
Try this!
your search | transaction startswith=A endswith=E|eval VARIANT=mvjoin(event, "-")|stats count by VARIANT
Yes, check out the cluster
command:
http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/cluster