Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

need to show completion percentage with the following query

bluemarvel
Path Finder
‎03-13-2018 03:16 PM

the following produces all of the other stats except completion percentage

sourcetype=access_combined | transaction JSESSIONID startswith=eval(action="addtocart") endswith=eval(action="purchase") keepevicted=1 |search action="addtocart" | stats count(eval(closed_txn=0)) as totalFailed,count as totalAttempted | eval %Completed=100*round(Completed/total,4)

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-13-2018 06:12 PM

Hi

Is this query what you want? (Let me know)

sourcetype=access_combined 
| transaction JSESSIONID startswith=eval(action="addtocart") endswith=eval(action="purchase") keepevicted=1
|search action="addtocart" 
| stats count(eval(closed_txn=0)) as totalFailed,count as totalAttempted 
| eval totalCompleted=totalAttempted-totalFailed
| eval %Completed=100*round(totalCompleted/totalAttempted,4)

View solution in original post

Reply
Solved! Jump to solution

niketn
Legend
‎03-14-2018 02:40 AM

@bluemarvel, if your intent is to find out what percent of total items added to order did not get purchased your query with transaction command and closed_txn is not giving you results you expect. Transaction command keeps certain number of events in memory for correlating as per the arguments like maxspan and maxpause startswith endswith etc. Even if due to the settings/config transaction command may drop the unmatched events (even though match may actually exist).

So stats is a better fit for this situation (and will perform better as well), where you can control what you need to correlate. Try the following search where stats correlates events with same JSESSIONID and the get all the values of action as either "addtocart" or "purchase" (base search filters are used to drop events we are not interested in to make search run faster).

index="splunk_answers" sourcetype=access_combined* action IN ("addtocart","purchase") JSESSIONID=*
| stats count as EventCount dc(action) as distinctActions values(action) as action by JSESSIONID
| stats count(eval(action="addtocart")) as TotalAdded count(eval(action="addtocart" AND action!="purchase")) as AddedNotOrdered
| eval FailedPercent=round((AddedNotOrdered/TotalAdded)*100,1)

Please try out and confirm.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution
Solution

tiagofbmm
Influencer
‎03-13-2018 06:12 PM

Hi

Is this query what you want? (Let me know)

sourcetype=access_combined 
| transaction JSESSIONID startswith=eval(action="addtocart") endswith=eval(action="purchase") keepevicted=1
|search action="addtocart" 
| stats count(eval(closed_txn=0)) as totalFailed,count as totalAttempted 
| eval totalCompleted=totalAttempted-totalFailed
| eval %Completed=100*round(totalCompleted/totalAttempted,4)
Reply
Solved! Jump to solution

tiagofbmm
Influencer
‎03-14-2018 01:24 AM

Please accept the answer it solves your issue

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...