Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

stats on transaction

psobisch
Path Finder
‎01-17-2014 12:40 AM

Hello,

I wonder about how can I do stats operation like counting of something inside of a transaction?

I have a transaction including multiple events of the same kind (or multiple kinds), I would like to make a table, listing all the transactions including the count of certain events.

Do you have any hints?

Regards,
Peter

Tags (2)
0 Karma
Reply

mstark31
Path Finder
‎05-18-2017 11:51 AM

If this is something you can accomplish with stats and not transaction, I've found a way to do it.
It appears that psobisch's original problem was solved, but in case anyone lands here from a search like I did, here you go.

Let's say I have a dataset that records every time an Animal eats a certain type of Food. Multiple Animals eat multiple types of Food.
My first search to make a full list of each time an Animal eats Food was this:

index=animalfood
| transaction Animal mvlist=t
| table *

Then, I wanted to count and list, by Animal, how many times they ate each kind of food. Keeping the multivalue format was important - I only wanted each Animal listed once.

I was able to uses stats twice to accomplish what I wanted.

index=animalfood
| stats count by Animal, Food
| stats list(Food) list(count) by Animal

The first stats creates the Animal, Food, count pairs.
The second stats creates the multivalue table associating the Food, count pairs to each Animal.

Reply

DalJeanis
Legend
‎05-18-2017 01:41 PM

Correct. It's best to avoid transaction when you can. It is very resource intensive, and easy to have problems with.

To relate the values to each other, and to get a sum of how many total times the Animal ate, you could also break it out like this...

 index=animalfood
 | stats count as mycount by Animal, Food
 | eval foodcount=Food."=".mycount
 | stats values(foodcount) as FoodDetails, dc(Food) as FoodTypeCount, sum(mycount) as MealCount  by Animal
0 Karma
Reply

mstark31
Path Finder
‎05-18-2017 02:20 PM

Different approach - but cool way to solve the problem.
Also works.

I've also done a chart variation with 

index=animalfood
| chart count by Animal, Food limit=0
0 Karma
Reply

Ayn
Legend
‎01-17-2014 01:55 AM

The thing about transaction is that it removes the individual events, so since the concepts of the previously existing individual events is gone it's tricky to do stats "per event". You could either calculate your statistics before running transaction, or you could use eval functions like mvcount for getting counts within multivalued fields that are created as part of the transaction. It's hard to give more specific advice without knowing more about your exact scenario.

Reply

psobisch
Path Finder
‎01-23-2014 12:08 AM

ok thanks, that's what I did now.
Works well, but I would like to have searches which are not so extensive.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...