Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

analyzing transactions based on the values in the raw data

fere
Path Finder
‎08-30-2012 12:21 PM

Is there anyway to analyze trans data in SplunkStorm?
Here is what I have:
transaction is defined by beginTour and EndTour by user_id
Within a transaction, there could be any number of activties (events) taken by user_id

I want to be able to average distinct number of activities by user_id when taking tours ( a user_id may have many transactions/tours, so each transaction having distinct number of activities, then averaging that dc(activites) number accross transactions by user_id).

Also, is it possible to calculate the avg time spent on each event by user_id for each tour?
Is there anyway to define transaction within transaction and be able to add a field to the outer trans for avg inner trans duration?

even though the extract caused the fields to be recognized by Splunk and the user_id under interesting fields shows up with 14 values, still when I do the following, it only comes back with user NULL and one avg value. I was hoping to get avg(duration) calculated for each user_id based on the trans duration values:

source=xxxx | transaction user_id keeporphans=f maxspan=-1 maxpause=-1 startswith="BeginTour" endswith="EndTour" mvraw=t delim="," mvlist=user_id |
extract pairdelim=",", kvdelim=":" | stats avg(duration) AS avg_dur by user_id
Thanks

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

fere
Path Finder
‎09-11-2012 10:04 AM

Found out about mvlist and all the eval functions for mvlist and got it to work.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

fere
Path Finder
‎09-11-2012 10:04 AM

Found out about mvlist and all the eval functions for mvlist and got it to work.

0 Karma
Reply
Solved! Jump to solution

dart
Splunk Employee
Splunk Employee
‎09-04-2012 08:31 AM

What do you get back from your query? Does just source=xxxx | transaction user_id keeporphans=f maxspan=-1 maxpause=-1 startswith="BeginTour" endswith="EndTour" work?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...