Solved: counting results in sub-query

stephenmoorhous · ‎06-27-2017

I have a list of log lines which indicate an order has been placed and have a session id (sid) but no customer id (cid)
I also have a list of log lines which have a session id and a customer id

so
index=foo sourcetype=bar sid=123 orderplaced=1
index=foo sourcetype=zzz sid=123 cid=1 this=some
index=foo sourcetype=zzz sid=123 cid=1 this=random
index=foo sourcetype=zzz sid=123 cid=1 this=stuff
index=foo sourcetype=bar sid=123 orderplaced=1
index=foo sourcetype=zzz sid=123 cid=1 this=more
index=foo sourcetype=zzz sid=123 cid=1 this=random
index=foo sourcetype=zzz sid=123 cid=1 this=thing
index=foo sourcetype=bar sid=321 orderplaced=1
index=foo sourcetype=zzz sid=321 cid=2 this=etc
index=foo sourcetype=zzz sid=555 cid=3 this=etc

etc

what i want is a count of how many orders each customer has placecd so the above would produce
cid count
1 2
2 1
3 0

I have
index=foo sourcetype=zzz [search index=foo sourcetype=bar orderplaced=1 | fields sid] | stats count by cid
but this counts all the log lines in foo so cid=1 gets a count of 6

I'm sure there is a simple solution but can think of it

Thanks

cmerriman · ‎06-27-2017

View solution in original post

cmerriman · ‎06-27-2017

counting results in sub-query

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

counting results in sub-query

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases