Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why Return items not present in a subsearch?

psimoes
Loves-to-Learn
‎04-11-2023 04:23 PM

Given the simple scenario:

I have users in a platform that have actions, I want to return all the users that haven't performed a specific action. For example, I want to return all users that have been doing the action "View", but haven't performed any action "Purchase". The index would be the same.

Pseudo query:

index=A action=view [ search index=A action=purchase | stats count by user ] | where count by user = 0 

Any idea how could I write such query?

Labels (1)
Labels
Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-13-2023 08:59 AM

Like this:
| makeresults
| eval _raw="
user action
A view
A purchase
B view
C purchase"
| multikv forceheader=1
| stats count(eval(action="view")) AS views count(eval(action="purchase")) AS purchases BY user
| where views>0 AND purchases==0

So like this:
index="A" AND (action="view" OR action="purchase")
| stats count(eval(action="view")) AS views count(eval(action="purchase")) AS purchases BY user
| where views>0 AND purchases==0

0 Karma
Reply

manjunathmeti
Champion
‎04-12-2023 03:32 AM

hi @psimoes ,

As @yeahnah and @gcusello mentioned, you don't need a sub-search for this unless your action=purchage events are in a different index/sourcetype.

Try this.

| makeresults 
| eval _raw="user,action
A,view
B,view
C,view
C,purchase
D,purchase" 
| multikv forceheader=1 
| fields - _raw, linecount 
| eventstats count(eval(action="view")) as view_count, count(eval(action="purchase")) as purchase_count by user 
| where purchase_count=0


 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-11-2023 11:26 PM

Hi @psimoes,

as @yeahnah said, this is an incorrect way to use subsearches and anyway, you don't need a subsearch for your purpose.

Please try something like this:

index=A (action=view OR action=purchase)
| stats dc(action) AS action_count values(action) AS action BY user 
| where action_count=1 AND action=view

 Ciao.

Giuseppe

0 Karma
Reply

yeahnah
Motivator
‎04-11-2023 06:35 PM

Hi @psimoes 

No need for a subsearch to do this - avoid subsearches where possible as less efficient.

Try this...

index=A action=view OR action=purchase
| stats count values(action) AS actions BY user
| eval purchase_made=if(isnotnull(mvfilter(match(actions, "purchase"))), "yes", "no")
| where purchase_made="no"

The actions field is a multivalue field and the if statement tests whether this field contains the purchase value or not, before the where filter is applied.

Hope it helps

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...