Re: Correlating values in different index

Souradip11 · ‎01-11-2025

Hi,

I have two indexes - "cart" and "purchased" . In "cart" index there is a field "cart_id" and in "purchased" there is a field "pur_id". If payment will be successfully for a cart then the card_id values will be stored as a pur_id in the "purchased" index.

cart purchased

cart_id 123 payment received pur_id 123

cart_id 456 no payment no record for 456

Now I want to display the percentage of cart for which payment is done.

I wonder if anyone can help here.

Thank you so much

ITWhisperer · ‎01-11-2025

index IN (cart purchased) cart_id=* OR pur_id=*
| eval common_id=coalesce(cart_id, pur_id)
| eventstats dc(index) as common_count by common_id
| where index="cart"
| stats count as carts count(eval(common_count > 1)) as purchases
| eval pct=(purchases*100)/carts
| table carts purchases pct

richgalloway · ‎01-11-2025

Perhaps this will help. It counts the number of unique cart and purchase IDs then does the math to find the percentage of paid carts.

index IN (cart purchased) cart_id=* OR pur_id=*
| stats dc(cart_id) as carts, dc(pur_id) as purchases
| eval pct=(purchases*100)/carts
| table carts purchases pct

---
If this reply helps you, Karma would be appreciated.

Correlating values in different index

join

stats

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies