Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Correlating values in different index

Souradip11
Explorer
‎01-11-2025 11:04 AM

Hi,

I have two indexes - "cart" and "purchased" . In "cart" index there is a field "cart_id" and in "purchased" there is a field "pur_id".  If  payment will be successfully for a cart then the card_id values will be stored as a pur_id in the "purchased" index.

cart purchased 

cart_id 123 payment received  pur_id   123

cart_id 456   no payment  no record for 456

Now I want to display the percentage of cart for which payment is done.

I wonder if anyone can help here.

 

Thank you so much 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-11-2025 01:49 PM 
index IN (cart purchased) cart_id=* OR pur_id=*
| eval common_id=coalesce(cart_id, pur_id)
| eventstats dc(index) as common_count by common_id
| where index="cart"
| stats count as carts count(eval(common_count > 1)) as purchases
| eval pct=(purchases*100)/carts
| table carts purchases pct
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-11-2025 11:35 AM

Perhaps this will help.  It counts the number of unique cart and purchase IDs then does the math to find the percentage of paid carts.

index IN (cart purchased) cart_id=* OR pur_id=*
| stats dc(cart_id) as carts, dc(pur_id) as purchases
| eval pct=(purchases*100)/carts
| table carts purchases pct
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...