Splunk Search

need to show completion percentage with the following query

bluemarvel
Path Finder

the following produces all of the other stats except completion percentage

sourcetype=access_combined | transaction JSESSIONID startswith=eval(action="addtocart") endswith=eval(action="purchase") keepevicted=1 |search action="addtocart" | stats count(eval(closed_txn=0)) as totalFailed,count as totalAttempted | eval %Completed=100*round(Completed/total,4)

Tags (1)
0 Karma
1 Solution

tiagofbmm
Influencer

Hi

Is this query what you want? (Let me know)

sourcetype=access_combined 
| transaction JSESSIONID startswith=eval(action="addtocart") endswith=eval(action="purchase") keepevicted=1
|search action="addtocart" 
| stats count(eval(closed_txn=0)) as totalFailed,count as totalAttempted 
| eval totalCompleted=totalAttempted-totalFailed
| eval %Completed=100*round(totalCompleted/totalAttempted,4)

View solution in original post

niketn
Legend

@bluemarvel, if your intent is to find out what percent of total items added to order did not get purchased your query with transaction command and closed_txn is not giving you results you expect. Transaction command keeps certain number of events in memory for correlating as per the arguments like maxspan and maxpause startswith endswith etc. Even if due to the settings/config transaction command may drop the unmatched events (even though match may actually exist).

So stats is a better fit for this situation (and will perform better as well), where you can control what you need to correlate. Try the following search where stats correlates events with same JSESSIONID and the get all the values of action as either "addtocart" or "purchase" (base search filters are used to drop events we are not interested in to make search run faster).

index="splunk_answers" sourcetype=access_combined* action IN ("addtocart","purchase") JSESSIONID=*
| stats count as EventCount dc(action) as distinctActions values(action) as action by JSESSIONID
| stats count(eval(action="addtocart")) as TotalAdded count(eval(action="addtocart" AND action!="purchase")) as AddedNotOrdered
| eval FailedPercent=round((AddedNotOrdered/TotalAdded)*100,1)

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

tiagofbmm
Influencer

Hi

Is this query what you want? (Let me know)

sourcetype=access_combined 
| transaction JSESSIONID startswith=eval(action="addtocart") endswith=eval(action="purchase") keepevicted=1
|search action="addtocart" 
| stats count(eval(closed_txn=0)) as totalFailed,count as totalAttempted 
| eval totalCompleted=totalAttempted-totalFailed
| eval %Completed=100*round(totalCompleted/totalAttempted,4)

tiagofbmm
Influencer

Please accept the answer it solves your issue

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...