Splunk® Enterprise

Search Tutorial

Download manual as PDF

Download topic as PDF

Search, chart, and report examples

Let's explore some other search examples, work with chart visualizations, and save the searches as reports.

Example: Compare counts of user actions

In this example you will calculate information about the actions customers have taken on the online store website.

  • The number of times each product is viewed
  • The number of times each product is added to the cart
  • The number of times each product is purchased

Prerequisite
This example uses the productName field from the prices_lookup that you created in the Enabling field lookups section in this tutorial. You must complete all of those steps in that section before continuing with this example.

Steps

  1. Start a new search.
  2. Set the time range to All time.
  3. Run the following search.

    sourcetype=access_* status=200 | chart count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | rename productName AS "Product Name", views AS "Views", addtocart AS "Adds to Cart", purchases AS "Purchases"

    This search uses the chart command to count the number of events that are action=purchase and action=addtocart. The search then uses the rename command to rename the fields that appear in the results.
    The chart command is a transforming command. The results of the search appear on the Statistics tab.
    This screen image shows the results of running the search.
  4. Click the Visualization tab. The search results appear in a Pie chart.
  5. Change the display to a Column chart.
    This screen image shows the Visualization tab. The results of the search are formatted as a Column chart.

Example: Overlay Actions and Conversion Rates on one chart

In this example, you will use the stats command to count the user actions. The eval command is used to calculate the conversion rates for those actions. For example, how often someone who viewed a product added the product to their cart.

Prerequisite
This example uses the productName field from the prices_lookup that you created in the Enabling field lookups section of this tutorial. You must complete all of those steps in that section before continuing with this example.

Steps

  1. Start a new search.
  2. Change the time range to All time.
  3. Run the following search.

    sourcetype=access_* status=200 | stats count AS views count(eval(action="addtocart")) AS addtocart count(eval(action="purchase")) AS purchases by productName | eval viewsToPurchases=(purchases/views)*100 | eval cartToPurchases=(purchases/addtocart)*100 | table productName views addtocart purchases viewsToPurchases cartToPurchases | rename productName AS "Product Name", views AS "Views", addtocart as "Adds To Cart", purchases AS "Purchases"

    The eval command is used to define two new fields. These fields contain the conversion rates.
    • The viewToPurchases field calculates the number of customers who viewed the product to the number of customers who purchased the product. The calculation returns a percentage.
    • The cartToPurchases field calculates the number of customers who added the product to their cart to the number of customers who purchased the product. The calculation returns a percentage.
    This screen image shows the results of the search.
    The next few steps reformat the chart visualization to overlay the two data series for the conversion rates, onto the three data series for the actions.
  4. Click the Visualization tab.
    This is the same chart as in Example 1, with two additional data series, viewsToPurchase and cartToPurchase.
    This screen image shows the search results depicted as a column chart, on the Visualization tab.
  5. Click Format and X-Axis.
    Because the labels on the X-Axis are difficult to read, let's fix that.
    This screen image shows the Format dialog box, and options on the X-Axis tab.
    1. Rotate the label -45 degrees.
    2. Close the Format dialog box.
      Notice the change in the labels on the X-Axis. Look at the numbers on the Y-Axis. They range from 1000 to 3000.
  6. Click Format and Y-Axis.
    To make the chart easier to read, add a label and specify different number intervals on the Y-Axis.
    1. For Title, choose Custom and type Actions.
    2. For Interval type 500.
    3. For Max Value type 2500.
      This screen image shows the Format dialog box. The options on the Y-Axis tab are filled in as specified in the steps above.
    4. Close the Format dialog box. Notice the label and values on the Y-Axis.
  7. Click Format and Chart Overlay.
    To separate the actions (views, adds to cart, and purchases) from the conversion rates (viewToPurchases and cartToPurchases), you can overly one set of values over another set. In this example you will overlay the conversion rates over the actions.
    1. For Overlay, click inside the box and select viewsToPurchase. Click inside the box again and select cartToPurchase.
    2. For View as Axis, click On.
    3. For Title, choose Custom
      This screen image shows the Format dialog box. The options on the Chart Overlay are displayed.
    4. Type Conversion Rates.
    5. For Scale, click Linear.
    6. For the Interval type 20. For the Max Value type 100.
      This screen image shows the updated display of the chart on the Visualization tab.
      The axis on the right side of the chart is called the second Y-Axis. The label and values for the line series appear on this axis.
  8. Click Save As and select Report.
    This screen image shows the updated Save As drop-down.
    1. In the Save Report As dialog box, for Title type Comparison of Actions and Conversion Rates by Product.
    2. For Description, type The number of times a product is viewed, added to cart, and purchased and the rates of purchases from these actions.
  9. Click Save
  10. In the confirmation dialog box, click View.
    This screen image shows the saved report.

Example: Products purchased over time

Create a report that charts the number of purchases that were completed for each item in the last week.

Prerequisite
This example uses the productName field from the prices_lookup that you created in the Enabling field lookups section of this tutorial. You must complete all of those steps in that section before continuing with this example.

Steps

  1. Start a new search.
  2. Change the time range to Previous week.
  3. Run the following search.

    sourcetype=access_* | timechart count(eval(action="purchase")) by productName usenull=f useother=f

    This search uses the count() function to count the number of events that have the field action=purchase.
    The search also uses the usenull and useother arguments to ensure that the timechart command only counts events that have a value for productName.
    The following table appears on the Statistics tab.
    This screen image shows the result of the search. The first column contains dates, based on the event timestamp. The remaining column labels list the names of each product.  For each date and product, the cells display a count of the number of products purchased.
  4. Click the Visualization tab.
  5. Change the chart type to a Line chart.
  6. In the Format drop-down list, format the X-Axis, Y-Axis, and Legend using the settings in the following table.
    Chart changes Setting or value
    Chart type Line
    X-Axis CustomTitle Date
    X-Axis Labels -45 degree angle
    Y-Axis Custom Title Purchases
    Y-Axis Interval 10
    Legend Position Top

    The following image shows the updated chart.

    This screen image shows the following changes to the chart. The chart type is "line". The X-Axis contains a custom title "Date" and the labels are at a -45 degree angle. The Y-Axis contains a custom title "Purchases" and an Interval of 10.  The legend is positioned at the top of the chart.
  7. Click Save As and select Report.
    This screen image shows the updated Save As drop-down.
    1. In the Save Report As dialog box, for Title type Product Purchases over Time.
    2. For Description, type The number of purchases for each product.
    3. For Content, select Line Chart and Statistics Table.
    4. For Time Range Picker, keep the default setting Yes.
  8. Click Save.
  9. In the confirmation dialog box, click View to see the report.
    This screen image shows the saved report.

Example: Purchasing trends

This example uses sparkline charts to show trends in the number of purchases made over time.

Sparklines are inline charts that appear in the search results table and are designed to display time-based trends associated with the primary key of each row. For searches that use the stats and chart commands, you can add sparkline charts to the results tables.

Prerequisite
This example uses the productName field from the prices_lookup that you created in the Enabling field lookups section in this tutorial. You must complete all of those steps before continuing with this example.

Steps

  1. Start a new search.
  2. Change the time range to All time.
  3. Run the following search.

    sourcetype=access_* status=200 action=purchase| chart sparkline(count) AS "Purchases Trend" count AS Total by categoryId | rename categoryId AS "Category"

    This search uses the chart command to count the number of purchases by using action="purchase". The search specifies the purchases made for each product by using categoryId. The difference is that the count of purchases is now an argument of the sparkline() function.
    This screen image shows the results of the search.
  4. Click Save As and select Report.
  5. In the Save Report As dialog box, for Title type Purchasing trends.
  6. For Description, type Count of purchases with trending.
    This screen image shows the Save As Report dialog box.
  7. Click Save.
  8. In the confirmation dialog box, click View.
    The screen image shows the saved report.

Next step

This completes Part 6 of the Search Tutorial.

Up to now, you have saved searches as Reports. Continue to Part 7: Creating dashboards, where you learn how to save searches and reports as dashboard panels.

See also

chart command in the Search Reference
Transforming commands in the Search Manual
Add sparklines to your search results in the Search Manual

PREVIOUS
Save and share your reports
  NEXT
About dashboards

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters