topic How to create search stirng for the given qestions? in Splunk Search

How to create search stirng for the given qestions?

faaku — Fri, 04 Feb 2022 21:57:01 GMT

I need the results for this question: What if you wanted to find the top product sold and how many people bought it?

Actually, I found this question on given link. https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchTutorial/Useasubsearch

I'm new to Splunk, and I tried various strings but not able to find the perfect string.

Re: How to create search stirng for the given qestions?

MuS — Fri, 04 Feb 2022 22:44:42 GMT

Hi there,

try something like this:

| stats count AS "Total Purchased", distinct_count(clientip) AS "Customers" by productId

Replace the last stats from the docs page with the above one and it should show you what you have asked for 🙂

cheers, MuS

Re: How to create search stirng for the given qestions?

PickleRick — Fri, 04 Feb 2022 23:20:35 GMT

In general, due to the reasons outlined in a frame on the webpage you pointed to, it's actually a good practice to avoid subsearches if it's possible and use other means of finding your result.

Anyway, using a subsearch you'd want to find a top product

search sourcetype=access_* status=200 action=purchase 
    | top limit=1 product
    | table product

This search put into a subsearch would effectively yield a "product=something" condition in runtime.

So you'd need to use it to select the purchases of this particular product and count the customers

search sourcetype=access_* status=200 action=purchase
[ search sourcetype=access_* status=200 action=purchase 
    | top limit=1 product
    | table product ]
| stats dc(clientip)

Assuming that you distinguish clients by clientip.

You can however get the same result another way (and in this case it's relatively easy; sometimes it's more complicated)

search sourcetype=access_* status=200 action=purchase
| stats dc(clientip) count by product
| sort - count
| head 1