How to write a search to count variations (differe...

adamguzek · ‎10-16-2015

I need a search to count variations of event occurance. Lets say we have events:
A,B,C,D,E which are combined into transaction by sessionid.
Event A is a start
Event E is an end.

In time, I have to search for transactions which have a different order and number of middle steps:
ABCDE
ACBDE
ABCDBCDE
and so on...

I need a stats count how many all of variations have occurred... I cannot predict all of the possible variations as steps are repeating between start and stop.

I need a table:
VARIANT - COUNT
ABCDE - 10
ABBE - 3
etc...

Any useful searches/commands I can try?

HiroshiSatoh · ‎10-16-2015

Try this!

your search | transaction  startswith=A endswith=E|eval VARIANT=mvjoin(event, "-")|stats count by VARIANT

woodcock · ‎10-16-2015

Yes, check out the cluster command:

http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/cluster

How to write a search to count variations (different order and number) of transaction events?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation