These results are piped into the stats command and the dc(), or distinct_count() function is used to count the number of different users who make purchases. This example first searches for purchase events ( action=purchase). Sourcetype=access_* action=purchase | stats dc(clientip) BY categoryId | append | table categoryId, dc(clientip), clientip, count Also, list the top purchaser for each type of product and how much that person bought of that product. Use the time range Yesterday when you run the search.Ĭount the number of different customers who purchased something from the Buttercup Games online store yesterday, and break this count down by the type of product (accessories, t-shirts, and type of games) they purchased. To try this example on your own Splunk instance, you must download the sample data and follow the instructions to get the tutorial data into Splunk. This example uses the sample data from the Search Tutorial. Append the top purchaser for each type of product. Count the number of different customers who purchased items. This search demonstrates how to use the append command in a way that is similar to using the addcoltotals command to add the column totals.Ģ. The results appear on the Statistics tab and look something like this: This count is added to the results of the previous search with the append command.īecause both searches share the count field, the results of the subsearch are listed as the last row in the count column. The subsearch is used to count the total number of earthquakes that occurred. You cannot use the stats command to simultaneously count the total number of events and the number of events for a specified field. This example uses a subsearch to count all the earthquakes in the California regions ( place="*California"), then uses the main search to count the number of earthquakes based on the magnitude type of the search. Source=usgs place=*California* | stats count by magType | append This example uses the All Earthquakes data from the past 30 days.Ĭount the number of earthquakes that occurred in and around California yesterday and then calculate the total number of earthquakes. You can download a current CSV file from the USGS Earthquake Feeds and upload the file to your Splunk instance. The data is a comma separated ASCII text file that contains magnitude (mag), coordinates (latitude, longitude), region (place), etc., for each earthquake recorded. This search uses recent earthquake data downloaded from the USGS Earthquakes website. See Command types.Įxamples 1: Use the append command to add column totals. The append command is a transforming command. Default: 50000 timeout Syntax: timeout= Description: The maximum time, in seconds, to wait for subsearch to fully finish. Default: 60 maxout Syntax: maxout= Description: The maximum number of result rows to output from the subsearch. Default: false maxtime Syntax: maxtime= Description: The maximum time, in seconds, to spend on the subsearch before automatically finalizing. Use this argument when a transforming command, such as chart, timechart, or stats, follows the append command in the search and the search uses time based bins. Use the extendtimerange argument when the time range in the subsearch extends beyond the time range for the main search. Subsearch options extendtimerange Syntax: extendtimerange= Description: Specifies whether to include the subsearch time range in the time range for the entire search. Optional arguments subsearch-options Syntax: extendtimerange= | maxtime= | maxout= | timeout= Description: Controls how the subsearch is processed. See About subsearches in the Search Manual. The subsearch must be enclosed in square brackets. Required arguments subsearch Syntax: Description: A secondary search where you specify the source of the events that you want to append. If you are familiar with SQL but new to SPL, see Splunk SPL for SQL users. The append command runs only over historical data and does not produce correct results if used in a real-time search.įor more information about when to use the append command, see the flowchart in the topic About event grouping and correlation in the Search Manual. Appends the results of a subsearch to the current results.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |