Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timechart: First time purchasers and total purchasers per day

HeinzWaescher
Motivator
‎11-04-2013 05:13 AM

Hi everyone,

i would like to create a timechart for unique users who made at least one action="purchase" a day. I need the total count of unique purchasers and the count of unique users who made their first lifetime purchase on that day.

01.01.2013 , 10000 , 2000

This means:

On 01.01.2013 10000 unique users did a purchase. Out of these 10000, 2000 unique Users did their first lifetime purchase on that day. I would be able to create something like with two different searches and write the outputs in a single excelsheet afterwards. But it would be great to have it in one single splunk search.

Thanks for help

Heinz

Tags (1)
0 Karma
Reply

HeinzWaescher
Motivator
‎11-04-2013 06:56 AM

Hi,

the single searches i would use here and combine externally:

  1. to get the dc(user) per day

| timechart dc(eval(if(action="purchase", user, null())))

  1. to get every purchasers first day

| stats min(eval(if(action="purchase", __time, null()))) by user | eval day=strftime(_time, "%d.%m.%Y")

A count per day could be calculated out of the second search and could be added to the first table.

Best

Heinz

0 Karma
Reply

HeinzWaescher
Motivator
‎11-08-2013 02:47 AM

Thanks a lot 🙂

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-08-2013 02:46 AM

Yep, _time is the default field for bin, and bin is an alias for bucket 🙂

0 Karma
Reply

HeinzWaescher
Motivator
‎11-08-2013 02:42 AM

Ah ok, so it seems to have the same effect as | bucket span=1d _time |

I've got the "first_time" as timestamp in seconds. So I have to use the bin command here as well, to be able to compare both timestamps. My approach would be this now and it seems to work:

| bin span=1d first_time
| bin span=1d _time
| timechart span=1d dc(user) AS Total_Users, dc(eval(if(_time=first_time, user, null()))) AS "New Users"

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-08-2013 02:31 AM

... | bin span=1d | ...

After that _time will be in unixtime (seconds since 1970) rounded down to midnight. If your first_time is a date as a string (ie "2013-11-08") you can use strftime(_time, "%Y-%m-%d") to convert the timestamp to the same format.

Reply

HeinzWaescher
Motivator
‎11-08-2013 01:59 AM

Thanks for the input. I got some questions regarding this:

What does "bin by day" mean?
And in what kind of format do I need "first day" here to compare it to _time? Unixtime?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-04-2013 08:30 AM

Without thinking about precise syntax, here's an approach that should work:

  • start with your base search before these two reporting pipes
  • replace the stats call with an eventstats, computing the first day by user
  • bin by day
  • stats dc(blah) count(eval(_time==first_day))
  • maybe some cosmetics
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-04-2013 06:20 AM

Additionally, post the two single queries you would use.

0 Karma
Reply

adityapavan18
Contributor
‎11-04-2013 05:41 AM

could you provide sample event for this scenario

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...