Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combine a field from a previous row based on other fields and create another field

datatan
Engager
‎07-08-2020 12:49 PM

Here's an example data in splunk (bookstore logs):

time(ms)idstagepayload
1020984aaaa-bbbb-cccccheckoutLord Of The Rings;
1310953aaaa-bbbb-cccccartHarry Potter;Game Of Thrones;
1340932aaaa-bbbb-cccccartHarry Potter;
1345608dddd-eeee-ffffcartSplunk for Dummies;
1352093dddd-eeee-ffffcartSplunk for Dummies;Java 101;
1420838dddd-eeee-ffffcheckoutOrder#999999999
1450928aaaa-bbbb-cccccheckoutOrder #123456789

This shows 2 customers shopping for books and then buying them. The most recent cart row contains what they bought. It also contains a previous checkout from one of the customers.

I want to create a query that will return this:

time(ms)idstagepayloadtime_spent_browsing
1420838dddd-eeee-ffffcheckoutSplunk for Dummies;Java 101;6485
1450928aaaa-bbbb-cccccheckoutHarry Potter;

29979

 

The payload field should contain the most recent cart row's payload with matching id

The time_spent_browsing field should be the the (most recent cart's time - the earliest cart time). The earliest cart event should be after the previous thank you event.

I hope that makes sense.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2020 05:05 PM

See if this helps.

| transaction id startswith="cart" endswith="checkout" keeporphans=0 
| eval time_spent_browsing = tonumber(mvindex(time,1)) - tonumber(mvindex(time, 0)), time=mvindex(time,1), stage=mvindex(stage,1), payload=mvfilter(NOT match(payload,"Order\s?#"))
| table time, id, stage, payload, time_spent_browsing

 I try to avoid the transaction command, but sometimes it's the only thing that works.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-08-2020 05:05 PM

See if this helps.

| transaction id startswith="cart" endswith="checkout" keeporphans=0 
| eval time_spent_browsing = tonumber(mvindex(time,1)) - tonumber(mvindex(time, 0)), time=mvindex(time,1), stage=mvindex(stage,1), payload=mvfilter(NOT match(payload,"Order\s?#"))
| table time, id, stage, payload, time_spent_browsing

 I try to avoid the transaction command, but sometimes it's the only thing that works.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

datatan
Engager
‎07-09-2020 11:49 AM

Thank you for the quick reply. This is very close to what I need. The only problem is that it seems to calculate time spent browsing by subtracting the checkout time by the latest cart time. I don't know if it's possible but I'm trying to do this:

timeidstagepayload
5000abccartHarry Potter;
10000abccheckoutOrder #123123
20000abccartLord Of The Rings;
30000abccartLord Of The Rings;Game Of Thrones;
40000abccartGame Of Thrones;
50000abccheckoutOrder #123131

 

Time spent browsing for the last checkout should be the difference of the two bolded time values. Is this possible?

Thank you very much for your help!

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎07-08-2020 02:29 PM

| stats last(eval(if(stage="checkout",'time(ms)',null())))  as time last(eval(if(stage="cart",payload,null())))  as payload last(stage) as stage by id

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...