Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Joining two eventtypes based on an ID
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I currently have two sets of data where one includes all of the product views, and one includes all of the downloads on the webapp. Both reports generate a userId and I have them extracted as fields.
Ideally I would like to join another search where it looks up the items that were downloaded based on the userId. An example of the nature the data is in:
_
Company Name // UserId // Product Name // View Count
Company ABCD // 11111 // Product A // 2
Company EFGH // 22222 // Product A // 7
Company IJKLM // 33333 // Product B // 5
_
User Id // Document Id // Download Count
11111 // 88194432978 // 1
11111 // 36634432211 // 2
22222 // 12983769718 // 1
33333 // 51928379855 // 3
_
Below is the search I use to get the product access based on a client:
eventtype="advisorViewedProduct" | top productName by companyName, userId | stats list(*) as * by companyName, userId | table companyName,userId,productName,count
The following is the search I use to get the document downloads:
eventtype"documentDownloads" | top documentId by userId | stats list(*) as * by userId | table userId, documentId, count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
eventtype="advisorViewedProduct" | top productName by companyName, userId | rename count as "View count"| append [search eventtype"documentDownloads" | top documentId by userId | rename count as "Download count" ]| stats values(*) as * by userId
| table companyName, userId productName "View count" documentId "Download count" | stats list(*) as * by companyName userId
Alternatively
eventtype="advisorViewedProduct" | top productName by companyName, userId | rename count as "View count"| append [search eventtype"documentDownloads" | top documentId by userId | rename count as "Download count" ] | eventstats values(companyName) as companyName by userId | stats list(*) as * by companyName userId | table companyName, userId productName "View count" documentId "Download count"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
eventtype="advisorViewedProduct" | top productName by companyName, userId | rename count as "View count"| append [search eventtype"documentDownloads" | top documentId by userId | rename count as "Download count" ]| stats values(*) as * by userId
| table companyName, userId productName "View count" documentId "Download count" | stats list(*) as * by companyName userId
Alternatively
eventtype="advisorViewedProduct" | top productName by companyName, userId | rename count as "View count"| append [search eventtype"documentDownloads" | top documentId by userId | rename count as "Download count" ] | eventstats values(companyName) as companyName by userId | stats list(*) as * by companyName userId | table companyName, userId productName "View count" documentId "Download count"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where are the download terms? Is that in a separate log?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's all in the same log, just a different eventtype.
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
Your Guide to Splunk Digital Experience Monitoring
Data Management Digest – November 2025
