12/18/2023 0 Comments Splunk join lookupThe count and percent fields that the top command generated are discarded from the output. Because you specified only the clientip field with the table command, that is the only field returned. The difference is the last piped command, | table clientip, which displays the clientip information in a table. This search is almost identical to the search in Example 1 Step 1. This search returns the clientip for the most frequent shopper, clientip=87.194.216.51. Sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip Copy and paste the following search into the Search bar and run the search.Let's start with our first requirement, to identify the single most frequent shopper on the Buttercup Games online store. The top purchaser is not likely to be the same person in every time range. The drawback to this approach is that you have to run two searches each time you want to build this table. The values function is used to display the distinct product IDs as a multivalue field. Use this function to count the number of different, or unique, products that the shopper bought. The dc() function is the distinct_count function. This search uses the count() function to return the total count of the purchases for the VIP shopper. An alias for the distinct_count() function is dc(). This search uses several statistical functions with the stats command. Sourcetype=access_* status=200 action=purchase clientip=87.194.216.51 | stats count, distinct_count(productId), values(productId) by clientip Use the stats command to count the purchases by this VIP customer. You now need to run another search to determine how many different products the VIP shopper has purchased.These are the default fields that are returned with the top command. The search also returns a count and a percent. This search returns one clientip value, 87.194.216.51, which you will use to identify the VIP shopper. The clientip argument specifies the field to return. The limit=1 argument specifies to return 1 value. Sourcetype=access_* status=200 action=purchase | top limit=1 clientip To find the shopper who accessed the online shop the most, use this search.Use the top command to return the most frequent shopper. You want to find the single most frequent shopper on the Buttercup Games online store and what that shopper has purchased. Example 2 shows how to find the most frequent shopper with a subsearch. Example 1 shows how to find the most frequent shopper without a subsearch. The following examples show why a subsearch is useful. Let's find the single most frequent shopper on the Buttercup Games online store, and what that shopper has purchased. Subsearches are enclosed in square brackets within a main search and are evaluated first. The result of the subsearch is then used as an argument to the primary, or outer, search. In this section you will learn how to correlate events by using subsearches.Ī subsearch is a search that is used to narrow down the set of events that you search on.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |