https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342958#M101560 <P>when i run this, i'm getting 7 total_customer_searches and 1 anonymous_customer_searches with 14%. That is accurate. if you break the syntax apart, pull in a small time range with a small set of data and run each line at a time, perhaps, make sure the data matches the output. If the counts aren't matching, let me know.</P> <PRE><CODE>|makeresults|eval customerId="123456,6546788,765478,-1,1257862,4867354,5884368"|makemv customerId delim=","|mvexpand customerId|timechart count(customerId) as total_customer_searches, count(eval(customerId="-1")) as anonymous_customer_Searches | eval anonymous_search_percent=((anonymous_customer_Searches/total_customer_searches)*100)|fillnull anonymous_search_percent value=0 </CODE></PRE> Tue, 29 Sep 2020 15:07:31 GMT cmerriman 2020-09-29T15:07:31Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342952#M101554 <P>I am running this query but not getting desired output.</P> <PRE><CODE>index=myapp sourcetype=log_source host="*myhost*" "Event*" AND "sell event" channelId=xyz | timechart count(customerId) as total_customer_searches, count(eval(customerID=-1)) as anonymous_customer_Searches | eval anonymous_search_percent=((anonymous_customer_Searches/total_customer_searches)*100) </CODE></PRE> <P>so, <CODE>customerID</CODE> could have <CODE>-1</CODE> OR any positive integer value. there are multiple <CODE>channelId</CODE> ( <CODE>abc</CODE>, <CODE>def</CODE>, <CODE>ghi</CODE>... <CODE>xyz</CODE> ) and I need to get a timechart or stats count of the percentage for <CODE>customerId</CODE>=<CODE>-1</CODE> on <CODE>channelId</CODE>=<CODE>xyz</CODE>.</P> Mon, 31 Jul 2017 04:56:10 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342952#M101554 iqbalintouch 2017-07-31T04:56:10Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342953#M101555 <P>@iqbalintouch, <STRONG>field names are case sensitive</STRONG>. So, in case your field name is customerID, the <CODE>count(customerId)</CODE> should actually be <CODE>count(customerID)</CODE></P> <P>Also try out <CODE>round()</CODE> function for percentage to reduce to two digit precision or whatever you like.</P> <PRE><CODE>| eval anonymous_search_percent=round(((anonymous_customer_Searches/total_customer_searches)*100),2) </CODE></PRE> <P>Please try out and confirm.</P> Mon, 31 Jul 2017 11:14:31 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342953#M101555 niketn 2017-07-31T11:14:31Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342954#M101556 <P>try something along these lines:</P> <PRE><CODE>index=myapp sourcetype=log_source host="*myhost*" channelId=xyz ("Event*" AND "sell event" ) | timechart count(customerID) as total_customer_searches, count(eval(customerID="-1")) as anonymous_customer_Searches | eval anonymous_search_percent=((anonymous_customer_Searches/total_customer_searches)*100) |fillnull anonymous_search_percent value=0 </CODE></PRE> <P>using customerID instead of customerId and placing -1 inside quotations. I also added a fillnull incase some of the anonymous_search_percents were not filled out.</P> Tue, 29 Sep 2020 15:07:07 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342954#M101556 cmerriman 2020-09-29T15:07:07Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342955#M101557 <P>@cmerriman, I dont think double quotes for <CODE>-1</CODE> is required. I expect the solution to be only casing issue with Field Name casing.</P> Tue, 01 Aug 2017 02:10:14 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342955#M101557 niketn 2017-08-01T02:10:14Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342956#M101558 <P>Hi @niketnilay, </P> <P>I wrongly mentioned as customerID, correct value is customerId. I have corrected it and ran the query still not getting desired output.</P> Tue, 01 Aug 2017 04:57:28 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342956#M101558 iqbalintouch 2017-08-01T04:57:28Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342957#M101559 <P>Hi @cmerriman,</P> <P>Query is looking good but not getting desired output. Anonymous search percent is showing more than 80% which shouldn't be..most of the time it should be &gt;=5%.</P> <P>customerId can have any values like 123456, 6546788, -1, 765478 out of these customerId's only those searches with customerId=-1 are anonymous search. Hope this help !</P> <P>Please let me know if you need more details.<BR /> Thank yoU!</P> Tue, 01 Aug 2017 05:05:06 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342957#M101559 iqbalintouch 2017-08-01T05:05:06Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342958#M101560 <P>when i run this, i'm getting 7 total_customer_searches and 1 anonymous_customer_searches with 14%. That is accurate. if you break the syntax apart, pull in a small time range with a small set of data and run each line at a time, perhaps, make sure the data matches the output. If the counts aren't matching, let me know.</P> <PRE><CODE>|makeresults|eval customerId="123456,6546788,765478,-1,1257862,4867354,5884368"|makemv customerId delim=","|mvexpand customerId|timechart count(customerId) as total_customer_searches, count(eval(customerId="-1")) as anonymous_customer_Searches | eval anonymous_search_percent=((anonymous_customer_Searches/total_customer_searches)*100)|fillnull anonymous_search_percent value=0 </CODE></PRE> Tue, 29 Sep 2020 15:07:31 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342958#M101560 cmerriman 2020-09-29T15:07:31Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342959#M101561 <P>Hi @cmerriman,</P> <P>Yes, if I take the above example it is working fine but when I add index, sourcetype, host and channelId the query is not working.<BR /> so in your query you need the string: index=myapp sourcetype=log_source host="<EM>myhost</EM>" "Event*" AND "sell event" channelId=xyz</P> <P>so we just need to make it certain that anonymous customer percentage shouldn't be increasing on channelId=xyz.<BR /> NOTE: customerId can have -1 value or any positive numeric value...and these numbers can be in thousands and millions so we need to make a percent comparison of known and unknown customers.<BR /> In other words known(non -1) CUSTOMER_ID % should be at least 95%.</P> <P>Hope this helps.</P> Wed, 02 Aug 2017 03:05:01 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342959#M101561 iqbalintouch 2017-08-02T03:05:01Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342960#M101562 <P>try running this and see if you get the expected outcome where customerId of -1 has a value of 1 in IsOfConcern and all other customerIds have a value of 0:</P> <PRE><CODE>index=myapp sourcetype=log_source host="*myhost*" channelId=xyz (Event* AND "sell event" ) | eval IsOfConcern = if(customerId="-1", 1, 0) | table customerId, IsOfConcern </CODE></PRE> <P>if you're seeing the correct values and the number of rows you might expect in total, then everything should be accurate. Otherwise we might have a problem with the base search/source data.</P> Wed, 02 Aug 2017 13:31:54 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342960#M101562 cmerriman 2017-08-02T13:31:54Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342961#M101563 <P>Seems to be correct @cmerriman . Now I need the percentage value of both customerId's.</P> <P>Thank you!</P> Thu, 03 Aug 2017 09:02:32 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342961#M101563 iqbalintouch 2017-08-03T09:02:32Z https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342962#M101564 <P>you can use the IsOfConcern and sum those up, if you'd like. <BR /> something like (if it doesn't appear correct, start doing it line by line until you see where it looks wrong):</P> <PRE><CODE> index=myapp sourcetype=log_source host="*myhost*" channelId=xyz (Event* AND "sell event" ) | eval IsOfConcern = if(customerId="-1", 1, 0)| table customerId, IsOfConcern|stats sum(IsOfConcern) as anonymous_customer_Searches count as total_customer_searches| eval anonymous_search_percent=((anonymous_customer_Searches/total_customer_searches)*100) </CODE></PRE> <P>if you need it by _time, you can sub stats for timechart, or add <CODE>|bucket _time span=1h|stats ...... by _time</CODE></P> Thu, 03 Aug 2017 11:48:26 GMT https://community.splunk.com/t5/Splunk-Search/customerID-percentage-on-a-particular-channelID-based-on/m-p/342962#M101564 cmerriman 2017-08-03T11:48:26Z