![]() ![]() Here, in this code, because the top Command returns the fields of count and percent, the table command retains only the clientip value. Sourcetype=access_* status=200 action=purchase | stats count, distinct_count(productId), values(productId) by clientip Now, copy and paste the search below into the search bar and run the search in the editor.In Splunk, a sub search is enclosed in square brackets and evaluated first when reading the search criteria. Because we are searching the same data, the beginning of the external search is identical to the beginning of the sub search. The purchase search is referred to as the outer or primary search. The most frequent shopper search becomes the sub search for the purchase search. We provide the result of the most common search for shoppers as one of the search criteria for the purchases. We run a search on the same data to see what the shopper has ordered. Because with the table command, we specified only the clientip field, that is the only field that was returned.įrom the output, the count and percent fields produced by the top Command are discarded. The difference is the last piped instruction, table clientip, which shows the details about the clientip in a row. This search is nearly identical to the search in step 1 of Example 1. Here, this search returns the clientip, clientip=87.194.216.51, for the most frequent shopper. Sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip Now, Copy and paste the search below into the search bar and run the search.We will start our first requirement to identify the most frequent single shopper on the online store Buttercup Games. Example 2: Search with a sub search in the Splunk In every time range, the top buyer is not likely to be the same person. The downside to this method is that we will run two searches each time we want this table to be built. The values function is used as a multivalue field to show distinct product IDs. Use this feature to count the number of different or unique products the shopper has purchased. The dc () function is the function separct count. This search uses the count () function to give the VIP shopper the total number of purchases. An alias for the function separct count() is dc(). This search uses multiple statistical functions with the command Stats. Sourcetype=access_* status=200 action=purchase clientip=87.194.216.51 | stats count, distinct_count(productId), values(productId) by clientip Use the stats command to count this VIP Customer's purchases. Then we have to carry out another search to decide how many different items the VIP shopper has ordered.These are the default fields in which the top Command returns. The search also returns a percent and a count. In Splunk, this search returns one clienttip value, 87.194.216.51, to identify the VIP shopper. The clientip argument specifies the field to return. Here, the limit=1 argument specifies to return 1 value. ![]() Sourcetype=access_* status=200 action=purchase | top limit=1 clientip
0 Comments
Leave a Reply. |