Hi
I'd like to analyze the path of http sessions. For example what were the four pages a user was visiting until he hits the "buy" button?
first, I generate a transaction and use maxevents
... | transaction client_id, endswith="(url=*buy)" maxevents=4 | search a_url="*buy"
then I use mvindex command to extract the four urls
... | eval 0_url=mvindex(url,0) | eval 1_url=mvindex(url,1) | eval 2_url=mvindex(url,2) | eval 3_url=mvindex(url,3)
for some of the sessions it works correct, but sometimes the field-ordering is incorrect. that means, I get 2_url and 3_url inverted. Even if the raw events of the transaction is in correct ordering
Is there a problem when I use mvindex within a transaction?
Kind regards
Mathias
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Transaction
mvlist=<bool> | <field-list>
Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Transaction
mvlist=<bool> | <field-list>
Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.
np. Please mark my answer as accepted if it solved your problem. Thanks!
perfect, thank you
perfect, thank you