References to tutorial http://docs.splunk.com/Documentation/Splunk/6.5.3/SearchTutorial/Searchwithfieldlookups,
sourcetype=access_* status=200 action=purchase [search sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip] | stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productId) AS "Products ID" BY clientip | rename clientip AS "VIP Customer" will display 4 fields, "VIP Customer", "Total Purchases", "Total Products" and "Product ID".
How do I show also the Product Name in this search?
HI wuming79,
where is Product_Name field?
if it's in your index, you can add to your stats command also:
values(Product_Name) AS Product_Name
if instead it's in a lookup, you have to add a row before the stats command:
sourcetype=access_ status=200 action=purchase
[search sourcetype=access_ status=200 action=purchase | top limit=1 clientip | table clientip]
| lookup products.csv productId OUTPUT Product_Name
| stats stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productId) AS "Products ID" values(Product_Name) AS Product_Name BY clientip | rename clientip AS "VIP Customer".
For performance, I always prefer to insert index in my main search.
Bye.
Giuseppe
HI wuming79,
where is Product_Name field?
if it's in your index, you can add to your stats command also:
values(Product_Name) AS Product_Name
if instead it's in a lookup, you have to add a row before the stats command:
sourcetype=access_ status=200 action=purchase
[search sourcetype=access_ status=200 action=purchase | top limit=1 clientip | table clientip]
| lookup products.csv productId OUTPUT Product_Name
| stats stats count AS "Total Purchased", dc(productId) AS "Total Products", values(productId) AS "Products ID" values(Product_Name) AS Product_Name BY clientip | rename clientip AS "VIP Customer".
For performance, I always prefer to insert index in my main search.
Bye.
Giuseppe
Thanks Cusello!
HI wuming79,
if you're satisfied of this answer, please accept it.
Bye.
Giuseppe