Hello,
I'm running a fairly complex search using transactions in order to identify an error occurring in a distinct user session.
source=product event_type=video_heartbeat | sort by video_session_id, tx_sequence | transaction video_session_id video_progress maxpause=35s | search eventcount>1 | stats count by user_id
Essentially, if a user has the same video_session_id and video_progress, this indicates that their video has stopped playing. I'm trying to find out how many users are simultaneously encountering this error.
The search itself is correct--if I insert a userId then it will properly find all video pauses for this user. When I remove the filter I encounter strange behavior. I will search across a set date/time, and the search will retrieve 11 distinct users, list them off...and then truncate the list down to 8. If I switch the stats count by for stats dc(user_id) I encounter the same issue.
I saved the list of 11 user ids that it retrieves during the search and inserted the missing ones as filters, and then all properly appear. Is there a limit to the number of events Splunk can match? I can't think of any reason it would truncate results like this when they are clearly matching.
Thanks for any help.
When using sort it will truncate your results to the first 10000 results. To have sort return all results you need to use the command like this (0 = no limit).
sort 0 video_session_id, tx_sequence
Not sure if sort is the cause of your problem but its the first thing that stood out. Also I don't think you need to use the sort command in the first place with the transaction command.
When using sort it will truncate your results to the first 10000 results. To have sort return all results you need to use the command like this (0 = no limit).
sort 0 video_session_id, tx_sequence
Not sure if sort is the cause of your problem but its the first thing that stood out. Also I don't think you need to use the sort command in the first place with the transaction command.
That was it! Thanks very much for your help.