Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

More searches and reports

This topic takes you through more search examples.

Example 1: Compare the number of views to purchases

In this example, calculate the number of views and number of purchases for each type of product.

This report requires the productName field from the fields lookup example. If you did not add the lookup, refer to that example and follow the procedure.

1. Run this search:

sourcetype=access_* status=200 | chart count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | rename productName AS "Product Name", views AS "Views", addtocart AS "Adds to Cart", purchases AS "Purchases"

6.1 tutorial moresearches ex1.1.png


This search uses the chart command to count the number of events that are action=purchase and action=addtocart.

2. Use the Visualization view options to format the results as a column chart.

6.1 tutorial moresearches ex1.2.png


Alternatively, you can use the stats command to create a table of the same statistics, and more:

sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | eval viewsToPurchase=(purchases/views)*100 | eval cartToPurchase=(purchases/addtocart)*100 | table productName views addtocart purchases viewsToPurchase cartToPurchase | rename productName AS "Product Name" views AS "Views", addtocart as "Adds To Cart", purchases AS "Purchases"

6.1 tutorial moresearches ex1.3.png


This search uses the stats command instead of the chart command. The eval command defines two new fields, which are the percentage of views and addtocart that lead to purchases.


2. Click Save As and select Report.

6.1 tutorial moresearches ex1.4.png


3. In the Save Report As dialog box, enter a Title, "Comparison of Product Views and Purchases".

4. (Optional) Enter a Description, "The number of times a product is viewed, added to cart, and purchased."

5. Click Save.

6.1 tutorial moresearches ex1.5.png

Example 2: Products purchased over time

For this report, chart the number of purchases that were completed for each item.

This report requires the productName field from the fields lookup example. If you didn't add the lookup, refer to that example and follow the procedure.

1. Search for:

sourcetype=access_* | timechart count(eval(action="purchase")) by productName usenull="f" useother="f"

Use the count() function to count the number of events that have the field action=purchase. Use the usenull and useother arguments to make sure the chart counts events that have a value for productName.

This produces the following statistics table.

6.1 tutorial moresearches ex2.1.png


2. Click the Visualizations tab.

If you look at the chart selection menu, the Line, Area, and Column visualizations are recommended.

6.1 tutorial moresearches ex2.2.png


3. Select Line and format the Y-axis and Legend, to produce this chart:

6.1 tutorial moresearches ex2.3.png


3. Click Save As and select Report.

6.1 tutorial moresearches ex2.4.png

4. In the Save Report As dialog box, enter a Title, "Purchases by Product Name".

5. (Optional) Enter a Description, "The number of purchases for each product."

6. Click Save.

6.1 tutorial moresearches ex2.5.png

Example 3: Purchasing trends

This example uses sparklines to trend the count of purchases made over time.

For stats and chart searches, you can add sparklines to their results tables. Sparklines are inline charts that appear within the search results table and are designed to display time-based trends associated with the primary key of each row. See "Add sparklines to your search results" in the Search Manual.

This example requires the productName field from the fields lookup example. If you didn't add the lookup, refer to that example and follow the procedure.

1. Run the following search:

sourcetype=access_* status=200 action=purchase| chart sparkline(count) AS "Purchases Trend" count AS Total by categoryId | rename categoryId AS "Category"

This search uses the chart command to count the number of purchases, action="purchase", made for each product, productName. The difference is that the count of purchases is now an argument of the sparkline() function.

6.1 tutorial moresearches ex3.1.png


3. Click Save As and select Report.

6.1 tutorial moresearches ex3.2.png


4. In the Save Report As dialog box, enter a Title, "Purchasing trends".

5. (Optional) Enter a Description, "Count of purchases with trending."

6. Click Save.

6.1 tutorial moresearches ex3.3.png

Next steps

Up to now, you saved searches as Reports. Continue "Creating dashboards" to learn about dashboards and how to save searches and reports as dashboard panels.

PREVIOUS
About saving and sharing reports
  NEXT
About dashboards

This documentation applies to the following versions of Splunk® Enterprise: 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12


Comments

This search will not work on the latest data, because there is no productName, only productId. Try this search <br /><br />sourcetype=access_* status=200 | chart count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productId | rename productId AS "Product ID", views AS "Views", addtocart AS "Adds to Cart", purchases AS "Purchases"

Izzyleung
October 17, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters