Splunk Search

Calculate Conversion Rate

HeinzWaescher
Motivator

Hi everbody,

I have got a field "Action" with different Values (A,B,C,D,E). I would like to calculate the percentage of my usersbase, who had at least one Action A, B or C.
Therefore i need the total usercount (this is no problem) and the count of users who had at least one of the actions A, B, C. I don't know how to create the second part, perhaps by aggregating these Values to a "new" Value or by a filter within a stats command?

These are my first steps in Splunk and it would be great if you could help me.

Thanks in advance

Heinz

Tags (2)
0 Karma

bwooden
Splunk Employee
Splunk Employee

There are several ways to get this result. One method is to filter relevant actions 'inline' using an eval within stats

... | stats count(user) as user_count sum(eval(case(action="A",1,action="B",1,action="C",1,1=1,0))) as filtered_action_count 

...the above method creates a value of "1" for any event with an action of A, B, or C and then adds those together in a field called filtered_action count. Completing the example, to calculate the percentage, we can use another eval:

... | stats count(user) as user_count sum(eval(case(action="A",1,action="B",1,action="C",1,1=1,0))) as filtered_action_count | eval percentage= round(filtered_action_count/user_count),2)

HeinzWaescher
Motivator

Hi,

thanks for your answer.
Using this search will count the total number of actions A,B,C. What I want to achieve in the second part of the seearch in the end, is the number of uniqe users who had such an action. In my understanding one part of the search has to be about

stats dc(user) as user_count -> this counts all my users

and the second part has to count the unique users for all splunk events who have the value "1" in the added field.

I hope this is understandable. Thanks in advance.

Heinz

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...