Hi!
I would like to know the frequency of each value of a certain field inside a transaction, for example:
my event after transaction (mvlist=t) are
23/07/2013 17:09 userdi1 value1
userid1 value2
userid1 value1
userid1 value3
userid1 value2
userid1 value1
23/07/2013 14:09 userid2 value2
userid2 value2
userid2 value2
userid2 value3
userid2 value2
userid2 value3
I wish to get the result:
23/07/2013 17:09 userdi1 value1 3
value2 2
value3 1
23/07/2013 14:09 userid2 value2 4
value3 2
I think to need transaction because in my log I have more than one "event" (section) for the same user.
This search
index=ing sourcetype=callcenter | transaction maxpause=30m cif mvlist=t | stats count(value) by value
doesn't work.
My impression is that top or something similar inside a transaction without breakink it it impossible.
Any suggestion?
Thanks for your time
Can be in this way, the important thing is count number of event with that value
Since the transaction
command groups events based on the common identifier and then basically creates a new event containing all of the transaction's events, you can do your counts based on _time (as each transaction will have a unique _time) value.
In your example you could do as follows:
index=ing sourcetype=callcenter | transaction maxpause=30m cif | stats count(value) by _time, cif, value
Which would give you a results set similar to this:
23/07/2013 17:09 userid1 value1 3
23/07/2013 17:09 userid1 value2 2
23/07/2013 17:09 userid1 value3 1
23/07/2013 14:09 userid2 value2 4
23/07/2013 14:09 userid2 value3 2
Each unique value of _time indicates the counts for a single transaction.
1003411 27/05/2013 10:40 value1
1003411 27/05/2013 10:41 value1
1003411 27/05/2013 10:43 value2
1008980 27/05/2013 12:21 value1
1008980 27/05/2013 12:21 value2
1008980 27/05/2013 12:21 value3
1008980 27/05/2013 12:21 value2
1008980 27/05/2013 12:23 value3
1008980 27/05/2013 12:23 value3
and so on
Do you mind posting a single sample event (before using transaction)? Maybe I am assuming something in my test data that is not present.
Yes, that field is extacted at search-time. But I don't understand, how is it possible that for you is working and not for me? I made copy&paste
In my answer I assumed that "value" is an extracted field. Is this correct? If it is an extracted field then the search I gave you aggregates the counts fine (I tested it on sample data).
This doesn't work either. The result become like
23/07/2013 17:09 userid1 value1 6
23/07/2013 17:09 userid1 value2 6
23/07/2013 17:09 userid1 value3 6
so each value counted like the total number of event for that userid,_time
Hi emaccaferri, is there any reason you must use multi value? Would a table result be ok:
23/07/2013 17:09 userdi1 value1 3
23/07/2013 17:09 userdi1 value2 2
...