Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Joining two eventtypes based on an ID
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emamedov
Explorer
08-02-2016
03:13 PM
I currently have two sets of data where one includes all of the product views, and one includes all of the downloads on the webapp. Both reports generate a userId and I have them extracted as fields.
Ideally I would like to join another search where it looks up the items that were downloaded based on the userId. An example of the nature the data is in:
_
Company Name // UserId // Product Name // View Count
Company ABCD // 11111 // Product A // 2
Company EFGH // 22222 // Product A // 7
Company IJKLM // 33333 // Product B // 5
_
User Id // Document Id // Download Count
11111 // 88194432978 // 1
11111 // 36634432211 // 2
22222 // 12983769718 // 1
33333 // 51928379855 // 3
_
Below is the search I use to get the product access based on a client:
eventtype="advisorViewedProduct" | top productName by companyName, userId | stats list(*) as * by companyName, userId | table companyName,userId,productName,count
The following is the search I use to get the document downloads:
eventtype"documentDownloads" | top documentId by userId | stats list(*) as * by userId | table userId, documentId, count
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-02-2016
03:34 PM
Try this
eventtype="advisorViewedProduct" | top productName by companyName, userId | rename count as "View count"| append [search eventtype"documentDownloads" | top documentId by userId | rename count as "Download count" ]| stats values(*) as * by userId
| table companyName, userId productName "View count" documentId "Download count" | stats list(*) as * by companyName userId
Alternatively
eventtype="advisorViewedProduct" | top productName by companyName, userId | rename count as "View count"| append [search eventtype"documentDownloads" | top documentId by userId | rename count as "Download count" ] | eventstats values(companyName) as companyName by userId | stats list(*) as * by companyName userId | table companyName, userId productName "View count" documentId "Download count"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
08-02-2016
03:34 PM
Try this
eventtype="advisorViewedProduct" | top productName by companyName, userId | rename count as "View count"| append [search eventtype"documentDownloads" | top documentId by userId | rename count as "Download count" ]| stats values(*) as * by userId
| table companyName, userId productName "View count" documentId "Download count" | stats list(*) as * by companyName userId
Alternatively
eventtype="advisorViewedProduct" | top productName by companyName, userId | rename count as "View count"| append [search eventtype"documentDownloads" | top documentId by userId | rename count as "Download count" ] | eventstats values(companyName) as companyName by userId | stats list(*) as * by companyName userId | table companyName, userId productName "View count" documentId "Download count"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
08-02-2016
03:33 PM
Where are the download terms? Is that in a separate log?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emamedov
Explorer
08-02-2016
04:34 PM
It's all in the same log, just a different eventtype.
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Index This | What travels the world but is also stuck in place?
April 2026 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
As data volumes continue to grow and environments become more distributed, managing and optimizing data ...
