Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ordering of fields in a transaction (mvfind bug?)

brettcave
Builder
‎08-03-2012 06:32 AM

I am trying to determine the sequence of pageviews that a visitor visits. I have the following query:

eventtype="AnalyticsLog" | transaction SessionID | makemv uri | eval homeoffset=mvfind(uri, "/") | eval signupoffset=mvfind(uri, "/signup") | eval infooffset=mvfind(uri, "/info") | table SessionID uri homeoffset signupoffset infooffset

When I run the query, the transactions are always sorted alphabetically, so regardless of whether a visitor goes to / -> /signup -> /info or / -> /info -> /signup, the offsets always indicate / = 0, /info = 1 and /signup = 2

How would I go about determining the order of pages viewed by a visitor?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

brettcave
Builder
‎08-24-2012 02:17 AM

Stumbled across the answer!

transaction docs:

Multivalue rendering options

mvlist=<bool> | <field-list>

Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.

View solution in original post

Reply
Solved! Jump to solution

inode
Explorer
‎11-18-2014 11:19 AM

Yeah, the magic mvlist does the job, I've provided an example usage here as well:

http://foren6.wordpress.com/2014/11/18/why-is-my-splunk-transaction-not-working/

0 Karma
Reply
Solved! Jump to solution
Solution

brettcave
Builder
‎08-24-2012 02:17 AM

Stumbled across the answer!

transaction docs:

Multivalue rendering options

mvlist=<bool> | <field-list>

Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.

Reply
Solved! Jump to solution

brettcave
Builder
‎08-06-2012 01:06 AM

confirmed bug? expected behaviour? incorrect usage?

0 Karma
Reply
Solved! Jump to solution

brettcave
Builder
‎08-03-2012 07:29 AM

Here is a sample, retrieved by adding the following to the query:

| search SessionID="6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4".

The transaction shows that /login should be 0, /dashboard = 1 and /profile = 2. This is the event returned by the transaction: 

2012-08-03T14:04:32.999Z | INFO | {"sessionId":"6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4","uri":"/login"}
2012-08-03T14:04:36.996Z | INFO | {"sessionId":"6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4","uri":"/dashboard"}
2012-08-03T14:04:37.240Z | INFO | {"sessionId":"6c337bd7-1ee8-4beb-9d5d-5ef30a7721d4","uri":"/profile"}

actual results:

  • mvfind(uri, "/login"): 1
  • mvfind(uri, "/dashboard"): 0
  • mvfind(uri, "/profile"): 2

This is happening in splunkstorm and a local installation of 4.3.1

Is this a bug in the mvfind command?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...