Splunk Search

Why does having multiple values for mvlist produce unexpected results for my transaction search?

Explorer

I am still not able to get 2 fields in the mvlist list. Here is my transaction line now:

| transaction visitID mvlist=actionName

I get a nice set of values that groups actions by visitID. However, if I change the above line to:

| transaction visitID mvlist=actionName,event_time

I get a totally different result set that doesn't look anything like the way I want it. Below is my full search:

source="/var/log/logstash/dynatraceqa*" businessTransaction="Real User Page Actions - Copy"
| transaction visitID mvlist=actionName
| table  application, visitID,  event_time, actionName, eventcount
| sort event_time
| addtotals row=f col=t fieldname=Total labelfield=actionName eventcount
| rename event_time as "Start Time", application as "Application", visitID as "Visit ID", actionName as "User Action". eventcount as  "Action Count" 
0 Karma

Explorer

...continued:

If i use mvlist=true i get the following:
alt text

0 Karma

Explorer

When i use the following in my transaction line:
| transaction visitID mvlist=actionName
I get the following results:
alt text

When i use the following in my transaction line:
| transaction visitID mvlist=actionName, apdex_score

I get the following results:
alt text

0 Karma

Legend

What kind of results are you expecting? Try this, without transaction command

source="/var/log/logstash/dynatraceqa*" businessTransaction="Real User Page Actions - Copy" | stats list(actionName) as actions by visitID application _time | eval eventcount=mvcount(actions) | rename ... | table ...
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!