Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

stats on transaction

psobisch
Path Finder
‎01-17-2014 12:40 AM

Hello,

I wonder about how can I do stats operation like counting of something inside of a transaction?

I have a transaction including multiple events of the same kind (or multiple kinds), I would like to make a table, listing all the transactions including the count of certain events.

Do you have any hints?

Regards,
Peter

Tags (2)
0 Karma
Reply

mstark31
Path Finder
‎05-18-2017 11:51 AM

If this is something you can accomplish with stats and not transaction, I've found a way to do it.
It appears that psobisch's original problem was solved, but in case anyone lands here from a search like I did, here you go.

Let's say I have a dataset that records every time an Animal eats a certain type of Food. Multiple Animals eat multiple types of Food.
My first search to make a full list of each time an Animal eats Food was this:

index=animalfood
| transaction Animal mvlist=t
| table *

Then, I wanted to count and list, by Animal, how many times they ate each kind of food. Keeping the multivalue format was important - I only wanted each Animal listed once.

I was able to uses stats twice to accomplish what I wanted.

index=animalfood
| stats count by Animal, Food
| stats list(Food) list(count) by Animal

The first stats creates the Animal, Food, count pairs.
The second stats creates the multivalue table associating the Food, count pairs to each Animal.

Reply

DalJeanis
Legend
‎05-18-2017 01:41 PM

Correct. It's best to avoid transaction when you can. It is very resource intensive, and easy to have problems with.

To relate the values to each other, and to get a sum of how many total times the Animal ate, you could also break it out like this...

 index=animalfood
 | stats count as mycount by Animal, Food
 | eval foodcount=Food."=".mycount
 | stats values(foodcount) as FoodDetails, dc(Food) as FoodTypeCount, sum(mycount) as MealCount  by Animal
0 Karma
Reply

mstark31
Path Finder
‎05-18-2017 02:20 PM

Different approach - but cool way to solve the problem.
Also works.

I've also done a chart variation with 

index=animalfood
| chart count by Animal, Food limit=0
0 Karma
Reply

Ayn
Legend
‎01-17-2014 01:55 AM

The thing about transaction is that it removes the individual events, so since the concepts of the previously existing individual events is gone it's tricky to do stats "per event". You could either calculate your statistics before running transaction, or you could use eval functions like mvcount for getting counts within multivalued fields that are created as part of the transaction. It's hard to give more specific advice without knowing more about your exact scenario.

Reply

psobisch
Path Finder
‎01-23-2014 12:08 AM

ok thanks, that's what I did now.
Works well, but I would like to have searches which are not so extensive.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...