Splunk Search

stats on transaction

Path Finder


I wonder about how can I do stats operation like counting of something inside of a transaction?

I have a transaction including multiple events of the same kind (or multiple kinds), I would like to make a table, listing all the transactions including the count of certain events.

Do you have any hints?


Tags (2)
0 Karma

Path Finder

If this is something you can accomplish with stats and not transaction, I've found a way to do it.
It appears that psobisch's original problem was solved, but in case anyone lands here from a search like I did, here you go.

Let's say I have a dataset that records every time an Animal eats a certain type of Food. Multiple Animals eat multiple types of Food.
My first search to make a full list of each time an Animal eats Food was this:

| transaction Animal mvlist=t
| table *

Then, I wanted to count and list, by Animal, how many times they ate each kind of food. Keeping the multivalue format was important - I only wanted each Animal listed once.

I was able to uses stats twice to accomplish what I wanted.

| stats count by Animal, Food
| stats list(Food) list(count) by Animal

The first stats creates the Animal, Food, count pairs.
The second stats creates the multivalue table associating the Food, count pairs to each Animal.


Correct. It's best to avoid transaction when you can. It is very resource intensive, and easy to have problems with.

To relate the values to each other, and to get a sum of how many total times the Animal ate, you could also break it out like this...

 | stats count as mycount by Animal, Food
 | eval foodcount=Food."=".mycount
 | stats values(foodcount) as FoodDetails, dc(Food) as FoodTypeCount, sum(mycount) as MealCount  by Animal
0 Karma

Path Finder

Different approach - but cool way to solve the problem.
Also works.

I've also done a chart variation with

| chart count by Animal, Food limit=0
0 Karma


The thing about transaction is that it removes the individual events, so since the concepts of the previously existing individual events is gone it's tricky to do stats "per event". You could either calculate your statistics before running transaction, or you could use eval functions like mvcount for getting counts within multivalued fields that are created as part of the transaction. It's hard to give more specific advice without knowing more about your exact scenario.

Path Finder

ok thanks, that's what I did now.
Works well, but I would like to have searches which are not so extensive.

0 Karma