Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

More searches and reports

This topic takes you through more search examples.

Example 1: Compare the number of views to purchases

In this example, calculate the number of views and number of purchases for each type of product.

This report requires the productName field from the fields lookup example. If you did not add the lookup, refer to that example and follow the procedure.

1. Run this search:

sourcetype=access_* status=200 | chart count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | rename productName AS "Product Name", views AS "Views", addtocart AS "Adds to Cart", purchases AS "Purchases"


The chart command is used to count the number of events that are action=purchase and action=addtocart. You can format the visualization as a column chart:

Searchtutorial morereports ex1.png

Alternatively, you can use the stats command to create a table of the same statistics, and more:

sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | eval viewsToPurchase=(purchases/views)*100 | eval cartToPurchase=(purchases/addtocart)*100 | table productName views addtocart purchases viewsToPurchase cartToPurchase | rename productName AS "Product Name" views AS "Views", addtocart as "Adds To Cart", purchases AS "Purchases"

Here, the stats command is used instead of the chart command. The eval command is used to define new fields, which are the percentage of views and addtocart that lead to purchases.

Search tutorial morereports1.png

2. Click Save As and select Report.

3. In the Save Report As dialog box, enter a Title, "Comparison of Product Views and Purchases".

4. (Optional) Enter a Description, "The number of times a product is viewed, added to cart, and purchased."

5. Click Save.


Example 2: Products purchased over time

For this report, chart the number of purchases that were completed for each item.

This report requires the productName field from the fields lookup example. If you didn't add the lookup, refer to that example and follow the procedure.

1. Search for:

sourcetype=access_* | timechart count(eval(action="purchase")) by productName usenull="f" useother="f"


Use the count() function to count the number of events that have the field action=purchase. Use the usenull and useother arguments to make sure the chart counts events that have a value for productName.

This produces the following statistics table.

Search tutorial morereports timechart.png


2. Click the Visualizations tab.

If you look at the chart selection menu, the Line, Area, and Column visualizations are recommended.

Search tutorial morereports selectchart.png

If you select Line and format the Y-axis and Legend, you can produce this chart:

Search tutorial morereports timechart2.png

Now see how it looks as an Area or Column chart.


3. Click Save As and select Report.

4. In the Save Report As dialog box, enter a Title, "Purchases by Product Name".

5. (Optional) Enter a Description, "The number of purchases for each product."

6. Click Save.


Example 3: Purchasing trends

This example uses sparklines to trend the count of purchases made over time.

For stats and chart searches, you can add sparklines to their results tables. Sparklines are inline charts that appear within the search results table and are designed to display time-based trends associated with the primary key of each row. See "Add sparklines to your search results" in the Search Manual.

This example requires the productName field from the fields lookup example. If you didn't add the lookup, refer to that example and follow the procedure.

1. Run the following search:

sourcetype=access_* status=200 action=purchase| chart sparkline(count) AS "Purchases Trend" count AS Total by categoryId | rename categoryId AS "Category"

This search uses the chart command to count the number of purchases, action="purchase", made for each product, productName. The difference is that the count of purchases is now an argument of the sparkline() function.


Search tutorial morereports sparklines.png


3. Click Save As and select Report.

4. In the Save Report As dialog box, enter a Title, "Purchasing trends".

5. (Optional) Enter a Description, "Count of purchases with trending."

6. Click Save.


Next steps

Up to now, you saved searches as Reports. Continue "Creating dashboards" to learn about dashboards and how to save searches and reports as dashboard panels.

PREVIOUS
About saving and sharing reports
  NEXT
About dashboards

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters