Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

problem with the ordering of multivalue fields in transactions

mathu
Path Finder
‎05-02-2013 11:46 PM

Hi

I'd like to analyze the path of http sessions. For example what were the four pages a user was visiting until he hits the "buy" button?

first, I generate a transaction and use maxevents

... | transaction client_id, endswith="(url=*buy)" maxevents=4 | search a_url="*buy"

then I use mvindex command to extract the four urls

... | eval 0_url=mvindex(url,0) | eval 1_url=mvindex(url,1) | eval 2_url=mvindex(url,2) | eval 3_url=mvindex(url,3)

for some of the sessions it works correct, but sometimes the field-ordering is incorrect. that means, I get 2_url and 3_url inverted. Even if the raw events of the transaction is in correct ordering

Is there a problem when I use mvindex within a transaction?

Kind regards
Mathias

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

Ayn
Legend
‎05-03-2013 12:22 AM

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Transaction

mvlist=<bool> | <field-list>
    Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.

View solution in original post

Reply
Solved! Jump to solution
Solution

Ayn
Legend
‎05-03-2013 12:22 AM

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Transaction

mvlist=<bool> | <field-list>
    Description: Flag controlling whether the multivalued fields of the transaction are (mvlist=t) a list of the original events ordered in arrival order or (mvlist=f) a set of unique field values ordered lexigraphically. If a comma/space delimited list of fields is provided only those fields are rendered as lists. By default, mvlist=f.
Reply
Solved! Jump to solution

Ayn
Legend
‎05-03-2013 12:56 AM

np. Please mark my answer as accepted if it solved your problem. Thanks!

0 Karma
Reply
Solved! Jump to solution

mathu
Path Finder
‎05-03-2013 12:31 AM

perfect, thank you

0 Karma
Reply
Solved! Jump to solution

mathu
Path Finder
‎05-03-2013 12:29 AM

perfect, thank you

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...