Splunk Search

analyzing transactions based on the values in the raw data

fere
Path Finder

Is there anyway to analyze trans data in SplunkStorm?
Here is what I have:
transaction is defined by beginTour and EndTour by user_id
Within a transaction, there could be any number of activties (events) taken by user_id

I want to be able to average distinct number of activities by user_id when taking tours ( a user_id may have many transactions/tours, so each transaction having distinct number of activities, then averaging that dc(activites) number accross transactions by user_id).

Also, is it possible to calculate the avg time spent on each event by user_id for each tour?
Is there anyway to define transaction within transaction and be able to add a field to the outer trans for avg inner trans duration?

even though the extract caused the fields to be recognized by Splunk and the user_id under interesting fields shows up with 14 values, still when I do the following, it only comes back with user NULL and one avg value. I was hoping to get avg(duration) calculated for each user_id based on the trans duration values:

source=xxxx | transaction user_id keeporphans=f maxspan=-1 maxpause=-1 startswith="BeginTour" endswith="EndTour" mvraw=t delim="," mvlist=user_id |
extract pairdelim=",", kvdelim=":" | stats avg(duration) AS avg_dur by user_id
Thanks

Tags (2)
0 Karma
1 Solution

fere
Path Finder

Found out about mvlist and all the eval functions for mvlist and got it to work.

View solution in original post

0 Karma

fere
Path Finder

Found out about mvlist and all the eval functions for mvlist and got it to work.

0 Karma

dart
Splunk Employee
Splunk Employee

What do you get back from your query? Does just source=xxxx | transaction user_id keeporphans=f maxspan=-1 maxpause=-1 startswith="BeginTour" endswith="EndTour" work?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...