Splunk Search

Why does having multiple values for mvlist produce unexpected results for my transaction search?

Explorer

I am still not able to get 2 fields in the mvlist list. Here is my transaction line now:

| transaction visitID mvlist=actionName

I get a nice set of values that groups actions by visitID. However, if I change the above line to:

| transaction visitID mvlist=actionName,event_time

I get a totally different result set that doesn't look anything like the way I want it. Below is my full search:

source="/var/log/logstash/dynatraceqa*" businessTransaction="Real User Page Actions - Copy"
| transaction visitID mvlist=actionName
| table  application, visitID,  event_time, actionName, eventcount
| sort event_time
| addtotals row=f col=t fieldname=Total labelfield=actionName eventcount
| rename event_time as "Start Time", application as "Application", visitID as "Visit ID", actionName as "User Action". eventcount as  "Action Count" 
0 Karma

Explorer

...continued:

If i use mvlist=true i get the following:
alt text

0 Karma

Explorer

When i use the following in my transaction line:
| transaction visitID mvlist=actionName
I get the following results:
alt text

When i use the following in my transaction line:
| transaction visitID mvlist=actionName, apdex_score

I get the following results:
alt text

0 Karma

Legend

What kind of results are you expecting? Try this, without transaction command

source="/var/log/logstash/dynatraceqa*" businessTransaction="Real User Page Actions - Copy" | stats list(actionName) as actions by visitID application _time | eval eventcount=mvcount(actions) | rename ... | table ...