Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Search, chart, and report examples

Let's explore some other search examples, work with chart visualizations, and save the searches as reports.

Prerequisite
These examples require the productName field from the Enabling field lookups section. You must complete all of those steps before continuing with this section.

  • Example: Compare counts of user actions
  • Example: Overlay Actions and Conversion Rates on one chart
  • Example: Products purchased over time
  • Example: Purchasing trends


Example: Compare counts of user actions

In this example you will calculate information about the actions customers have taken on the online store website.

  • The number of times each product is viewed
  • The number of times each product is added to the cart
  • The number of times each product is purchased


1. Start a new search.

2. Run the following search.

sourcetype=access_* status=200 | chart count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | rename productName AS "Product Name", views AS "Views", addtocart AS "Adds to Cart", purchases AS "Purchases"


This search uses the chart command to count the number of events that are action=purchase and action=addtocart. The search then uses the rename command to rename the fields that appear in the results.
The chart command is a transforming command. The results of the search appear on the Statistics tab.
This screen image shows the results of running the search.

3. Click the Visualization tab. The search results appear in a Pie chart.

4. Change the display to a Column chart.

This screen image shows the Visualization tab. The results of the search are formatted as a Column chart.

Example: Overlay Actions and Conversion Rates on one chart

In this example, you will use the stats command to count the user actions. The eval command is used to calculate the conversion rates for those actions.

1. Start a new search.

2. Run the following search.

sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | eval viewsToPurchases=(purchases/views)*100 | eval cartToPurchases=(purchases/addtocart)*100 | table productName views addtocart purchases viewsToPurchases cartToPurchases | rename productName AS "Product Name", views AS "Views", addtocart as "Adds To Cart", purchases AS "Purchases"


The eval command is used to define two new fields. These fields contain the conversion rates.
  • The viewToPurchases field calculates the number of customers who viewed the product to the number of customers who purchased the product. The calculation returns a percentage.
  • The cartToPurchases field calculates the number of customers who added the product to their cart to the number of customers who purchased the product. The calculation returns a percentage.
This screen image shows the results of the search.
The next few steps reformat the chart visualization to overlay the two data series for the conversion rates, onto the three data series for the actions.

3. Click the Visualization tab.

This is the same chart as in Example 1, with two additional data series, viewsToPurchase and cartToPurchase.
This screen image shows the search results depicted as a column chart, on the Visualization tab.

4. Click Format and X-Axis.

Because the labels on the X-Axis are difficult to read, let's fix that.
This screen image shows the Format dialog box, and options on the X-Axis tab.
a. Rotate the label -45 degrees.
b. For Label Truncation, click No.
c. Close the Format dialog box.
Notice the change in the labels on the X-Axis. Look at the numbers on the Y-Axis. They range from 1000 to 3000.

5. Click Format and Y-Axis.

To make the chart easier to read, add a label and specify different number intervals on the Y-Axis.
a. For Title, choose Custom and type Actions.
b. For Interval type 500.
c. For Max Value type 2500.
This screen image shows the Format dialog box. The options on the Y-Axis tab are filled in as specified in the steps above.
d. Close the Format dialog box. Notice the label and values on the Y-Axis.

6. Click Format and Chart Overlay.

To separate the actions (views, adds to cart, and purchases) from the conversion rates (viewToPurchases and cartToPurchases), you can overly one set of values over another set. In this example you will overlay the conversion rates over the actions.
a. For Overlay, click inside the box and select viewsToPurchase. Click inside the box again and select cartToPurchase.
b. For View as Axis, click On.
c. For Title, choose Custom
This screen image shows the Format dialog box. The options on the Chart Overlay are displayed.
d. Type Conversion Rates.
e. For Scale, click Linear.
f. For the Interval type 20. For the Max Value type 100.
This screen image shows the updated display of the chart on the Visualization tab.
The axis on the right side of the chart is called the second Y-Axis. The label and values for the line series appear on this axis.

7. Click Save As and select Report.

This screen image shows the updated Save As drop-down.
a. In the Save Report As dialog box, for Title type Comparison of Actions and Conversion Rates by Product.
b. For Description, type The number of times a product is viewed, added to cart, and purchased and the rates of purchases from these actions.

8. Click Save.

9. In the confirmation dialog box, click View.

This screen image shows the saved report.

Example: Products purchased over time

Create a report that charts the number of purchases that were completed for each item.

1. Start a new search.

2. Run the following search.

sourcetype=access_* | timechart count(eval(action="purchase")) by productName usenull="f" useother="f"

This search uses the count() function to count the number of events that have the field action=purchase.
The search also uses the usenull and useother arguments to ensure that the timechart command counts events that have a value for productName.
The following table appears on the Statistics tab.
This screen image shows the result of the search. The first column contains dates, based on the event timestamp. The remaining column labels list the names of each product.  For each date and product, the cells display a count of the number of products purchased.

3. Click the Visualization tab.

4. In the Format drop-down list, format the X-Axis, Y-Axis, and Legend to produce the following Line chart.

This screen image shows the following changes to the chart. The chart type is "line". The X-Axis contains a custom title "Date" and the labels are at a -45 degree angle. The Y-Axis contains a custom title "Purchases" and an Interval of 10.  The legend is positioned at the top of the chart.
This table lists the changes made to the chart.
Chart changes Setting or value
Chart type Line
X-Axis CustomTitle Date
X-Axis Labels -45 degree angle
Y-Axis Custom Title Purchases
Y-Axis Interval 10
Legend Position Top

5. Click Save As and select Report.

This screen image shows the updated Save As drop-down.
a. In the Save Report As dialog box, for Title type Product Purchases over Time.
b. For Description, type The number of purchases for each product.
c. For Content, select Line Chart and Statistics Table.
d. For Time Range Picker, keep the default setting Yes.

6. Click Save.

7. In the confirmation dialog box, click View to see the report.

This screen image shows the saved report.

Next step

This completes Part 6 of the Search Tutorial.

Up to now, you have saved searches as Reports. Continue to Part 7: Creating dashboards, where you learn how to save searches and reports as dashboard panels.

See also

chart command in the Search Reference
Transforming commands in the Search Manual
Add sparklines to your search results in the Search Manual

PREVIOUS
Save and share your reports
  NEXT
About dashboards

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11


Comments

XE050991680
Please make sure that you have completed the section on creating lookups in Part 5 of the tutorial.
You will need those lookups for the searches in this section to work properly. Start with this topic to create the lookups: http://docs.splunk.com/Documentation/Splunk/6.6.0/SearchTutorial/Usefieldlookups

Lstewart splunk, Splunker
May 19, 2017

This topic would be much more useful if I could fully participate, I managed to upload prices.csv data onto the server, however I could not change permissions in Lookup Tables so I could not proceed further with exercise as my query was not working.

XE050991680
May 18, 2017

SurferQQ
Thank you so much for noticing that problem with the search description!
I have corrected the text.

Lstewart splunk, Splunker
May 2, 2016

There seems to be an error in this article:

"Example: Purchasing trends
...
2. ... The search specifies the purchases made for each product by using productName. ..."

I think it should end with "... using categoryId"

SurferQQ
May 2, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters