topic How to get top products used by customers? in Splunk Search

How to get top products used by customers?

sunilkumar — Tue, 07 Mar 2023 21:54:00 GMT

I'm trying to get the top products used by customers.

Re: How to get top products used by customers

PickleRick — Tue, 07 Mar 2023 19:45:29 GMT

What do your events look like? What have you tried so far? With what outcome?

Re: How to get top products used by customers

sunilkumar — Tue, 07 Mar 2023 19:49:47 GMT

I tried this index=f5_access sourcetype=f5_access_lo
I got events with base URI, source type, URL, etc.

Re: How to get top products used by customers

PickleRick — Tue, 07 Mar 2023 20:09:30 GMT

Ok. So judging from the naming this looks like logs from F5 solution. In order to answer your question you'll have to know what "products" mean in this context (and where they are included in your logs) and how do you define "top" products - used by most customers? How do you distinguish customers then? By unique IP? By some session identifier?

Re: How to get top products used by customers

sunilkumar — Tue, 07 Mar 2023 20:25:54 GMT

Hi Rick,
Thanks for the quick response.
Here the product is a table name, which is in the URL and customers have a unique name called instance it is also in the URL. sc_catalog is the product here

Re: How to get top products used by customers

yuanliu — Wed, 08 Mar 2023 08:33:23 GMT

So, "product" is just the last segment of PATH_INFO. Here is a general method to process URI field semantically.

Here, you not only get "product", but also parameters in QUERY_STRING.

To find top "product", then, is just an exercise of counting.

| eval uri = split(urldecode(uri), "?") | eval PATH_INFO = mvindex(uri, 0) | eval product = replace(mvindex(split(PATH_INFO, "/"), -1), "\.do$", "") | top 5 product ``` replace 5 with however many you want ```

Here, we drop ".do" from "product" name. This is just cosmetic.

Two additional points: When you ask a question, always illustrate your data (anonymize as needed), but in text. This is a Splunk search forum, not an F5 forum. Explain how the data should logically lead to your desired results.

Another pointer is about anonymization. Public IP address can reveal a great deal about the business. (Even private IP address should be altered as a general rule.)