Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

More searches and reports

This topic takes you through more search examples.

Example 1: Compare counts of user actions

In this example, calculate the number of views, purchases, and adds to cart for each type of product.

This report requires the productName field from the fields lookup example. If you did not add the lookup, refer to that example and follow the procedure.

1. Return to the Search view, and run this search:

sourcetype=access_* status=200 | chart count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | rename productName AS "Product Name", views AS "Views", addtocart AS "Adds to Cart", purchases AS "Purchases"

6.2tutorial moresearches ex1.1.png


This search uses the chart command to count the number of events that are action=purchase and action=addtocart.

2. Use the Visualization view options to format the results as a column chart.

6.2tutorial moresearches ex1.2.png


Example 2: Overlay Actions and Conversion Rates on one chart

1. Run this search:

sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | eval viewsToPurchase=(purchases/views)*100 | eval cartToPurchase=(purchases/addtocart)*100 | table productName views addtocart purchases viewsToPurchase cartToPurchase | rename productName AS "Product Name" views AS "Views", addtocart as "Adds To Cart", purchases AS "Purchases"

Instead of the chart command, this search uses the stats command to count the user actions. Then, it uses the eval command to define two new fields which calculate conversion rates for "Product Views to Purchases" and "Adds to cart to Purchases".

6.2tutorial moresearches ex2.1.png


Steps 2 through 6 reformats the visualization to overlay the data series for conversions (viewsToPurchases and cartToPurchase) onto the data series for actions (views, adds to cart, and purchases).


2. Click Visualization.

This is the same chart as in Example 1, with two additional series, "viewsToPurchase" and "cartToPurchase".


6.2tutorial moresearches ex2.2.png


3. Click Format and X-Axis.


6.2tutorial moresearches ex2.3.png


3.1 Rotate the label -45 degrees and do not truncate the label.
3.2 Click Apply.


4. Click Format and Y-Axis.

6.2tutorial moresearches ex2.5.png


4.1 For Title, choose Custom and type in "Actions".
4.2 Set the Interval to 500 and the Max Value to 2500.
4.3 Click Apply.


5. Click Format and Chart Overlay.

6.2tutorial moresearches ex2.7.png


5.1 Type in or select the fields, "viewsToPurchase" and "cartToPurchase".
5.2 For View as Axis, click On.
5.3 For Title, choose Custom and type in Conversion Rates.
5.4 For Scale, choose Linear.
5.5 Set the Interval to 20 and the Max Value to 100.
5.6 Click Apply.


6.2tutorial moresearches ex2.8.png


6. Click Save As and select Report.

6.2tutorial moresearches ex2.9.png


6.1 In the Save Report As dialog box, enter a Title, "Comparison of Actions and Conversion Rates by Product".
6.2 (Optional) Enter a Description, "The number of times a product is viewed, added to cart, and purchased and the rates of purchases from these actions."

7. Click Save.

6.2tutorial moresearches ex2.10.png

Example 3: Products purchased over time

For this report, chart the number of purchases that were completed for each item.

This report requires the productName field from the fields lookup example. If you didn't add the lookup, refer to that example and follow the procedure.

1. Search for:

sourcetype=access_* | timechart count(eval(action="purchase")) by productName usenull="f" useother="f"

Use the count() function to count the number of events that have the field action=purchase. Use the usenull and useother arguments to make sure the chart counts events that have a value for productName.

This produces the following statistics table.

6.2tutorial moresearches ex3.1.png


2. Click the Visualization tab and Format the X-Axis, Y-Axis, and Legend to produce the following line chart.

6.2tutorial moresearches ex3.2.png


3. Click Save As and select Report.

6.2tutorial moresearches ex3.3.png


3.1 In the Save Report As dialog box, enter a Title, "Product Purchases over Time".

3.2 (Optional) Enter a Description, "The number of purchases for each product."


4. Click Save and View the report.

6.2tutorial moresearches ex3.4.png

Example 4: Purchasing trends

This example uses sparklines to trend the count of purchases made over time.

For stats and chart searches, you can add sparklines to their results tables. Sparklines are inline charts that appear within the search results table and are designed to display time-based trends associated with the primary key of each row. See "Add sparklines to your search results" in the Search Manual.

This example requires the productName field from the fields lookup example. If you did not add the lookup, refer to that example and follow the procedure.

1. Run the following search:

sourcetype=access_* status=200 action=purchase| chart sparkline(count) AS "Purchases Trend" count AS Total by categoryId | rename categoryId AS "Category"

This search uses the chart command to count the number of purchases, action="purchase", made for each product, productName. The difference is that the count of purchases is now an argument of the sparkline() function.

6.2tutorial moresearches ex4.1.png


3. Click Save As and select Report.

6.2tutorial moresearches ex4.2.png


4. In the Save Report As dialog box, enter a Title, "Purchasing trends".

5. (Optional) Enter a Description, "Count of purchases with trending."

6. Click Save and View the report.

6.2tutorial moresearches ex4.3.png

Next steps

Up to now, you saved searches as Reports. Continue "Creating dashboards" to learn about dashboards and how to save searches and reports as dashboard panels.

PREVIOUS
About saving and sharing reports
  NEXT
About dashboards

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters