Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

analyzing transactions based on the values in the raw data

fere
Path Finder
‎08-30-2012 12:21 PM

Is there anyway to analyze trans data in SplunkStorm?
Here is what I have:
transaction is defined by beginTour and EndTour by user_id
Within a transaction, there could be any number of activties (events) taken by user_id

I want to be able to average distinct number of activities by user_id when taking tours ( a user_id may have many transactions/tours, so each transaction having distinct number of activities, then averaging that dc(activites) number accross transactions by user_id).

Also, is it possible to calculate the avg time spent on each event by user_id for each tour?
Is there anyway to define transaction within transaction and be able to add a field to the outer trans for avg inner trans duration?

even though the extract caused the fields to be recognized by Splunk and the user_id under interesting fields shows up with 14 values, still when I do the following, it only comes back with user NULL and one avg value. I was hoping to get avg(duration) calculated for each user_id based on the trans duration values:

source=xxxx | transaction user_id keeporphans=f maxspan=-1 maxpause=-1 startswith="BeginTour" endswith="EndTour" mvraw=t delim="," mvlist=user_id |
extract pairdelim=",", kvdelim=":" | stats avg(duration) AS avg_dur by user_id
Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fere
Path Finder
‎09-11-2012 10:04 AM

Found out about mvlist and all the eval functions for mvlist and got it to work.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

fere
Path Finder
‎09-11-2012 10:04 AM

Found out about mvlist and all the eval functions for mvlist and got it to work.

0 Karma
Reply
Solved! Jump to solution

dart
Splunk Employee
Splunk Employee
‎09-04-2012 08:31 AM

What do you get back from your query? Does just source=xxxx | transaction user_id keeporphans=f maxspan=-1 maxpause=-1 startswith="BeginTour" endswith="EndTour" work?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...