Re: Correlating values in different index

Souradip11 · ‎01-11-2025

Hi,

I have two indexes - "cart" and "purchased" . In "cart" index there is a field "cart_id" and in "purchased" there is a field "pur_id". If payment will be successfully for a cart then the card_id values will be stored as a pur_id in the "purchased" index.

cart purchased

cart_id 123 payment received pur_id 123

cart_id 456 no payment no record for 456

Now I want to display the percentage of cart for which payment is done.

I wonder if anyone can help here.

Thank you so much

ITWhisperer · ‎01-11-2025

index IN (cart purchased) cart_id=* OR pur_id=*
| eval common_id=coalesce(cart_id, pur_id)
| eventstats dc(index) as common_count by common_id
| where index="cart"
| stats count as carts count(eval(common_count > 1)) as purchases
| eval pct=(purchases*100)/carts
| table carts purchases pct

richgalloway · ‎01-11-2025

Perhaps this will help. It counts the number of unique cart and purchase IDs then does the math to find the percentage of paid carts.

index IN (cart purchased) cart_id=* OR pur_id=*
| stats dc(cart_id) as carts, dc(pur_id) as purchases
| eval pct=(purchases*100)/carts
| table carts purchases pct

---
If this reply helps you, Karma would be appreciated.

Correlating values in different index

join

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation