By default, subsearches return a maximum of 10,000 results and have a maximum runtime of 60 seconds. If there are thousands of distinct IP addresses, the top command has to keep track of all of those addresses before the top 1 is returned, impacting performance. The performance of this subsearch depends on how many distinct IP addresses match status=200 AND action=purchase. If you change the time range, you might see different results because the top purchasing customer will be different. These results should match the result of the two searches in Example 1, if you run it on the same time range. Sourcetype=access_* status=200 action=purchase | stats count, distinct_count(productId), values(productId) by clientipīecause the top command returns the count and percent fields, the table command is used to keep only the clientip value. Copy and paste the following search into the Search bar and run the search.Because you are searching the same data, the beginning of the outer search is identical to the beginning of the subsearch.Ī subsearch is enclosed in square brackets and processed first when the search criteria are parsed. The purchases search is referred to as the outer or primary search. The most frequent shopper search becomes the subsearch for the purchases search. You provide the result of the most frequent shopper search as one of the criteria for the purchases search. To find what this shopper has purchased, you run a search on the same data. The count and percent fields that the top command generated are discarded from the output. Because you specified only the clientip field with the table command, that is the only field returned. The difference is the last piped command, | table clientip, which displays the clientip information in a table. This search is almost identical to the search in Example 1 Step 1. This search returns the clientip for the most frequent shopper, clientip=87.194.216.51. Sourcetype=access_* status=200 action=purchase | top limit=1 clientip | table clientip Let's start with our first requirement, to identify the single most frequent shopper on the Buttercup Games online store. The top purchaser is not likely to be the same person in every time range. The drawback to this approach is that you have to run two searches each time you want to build this table. The values function is used to display the distinct product IDs as a multivalue field. Use this function to count the number of different, or unique, products that the shopper bought. The dc() function is the distinct_count function. This search uses the count() function to return the total count of the purchases for the VIP shopper. An alias for the distinct_count() function is dc(). This search uses several statistical functions with the stats command. Sourcetype=access_* status=200 action=purchase clientip=87.194.216.51 | stats count, distinct_count(productId), values(productId) by clientip Use the stats command to count the purchases by this VIP customer. You now need to run another search to determine how many different products the VIP shopper has purchased.These are the default fields that are returned with the top command. The search also returns a count and a percent. This search returns one clientip value, 87.194.216.51, which you will use to identify the VIP shopper. The clientip argument specifies the field to return. The limit=1 argument specifies to return 1 value. Sourcetype=access_* status=200 action=purchase | top limit=1 clientip To find the shopper who accessed the online shop the most, use this search.Use the top command to return the most frequent shopper. You want to find the single most frequent shopper on the Buttercup Games online store and what that shopper has purchased. Example 2 shows how to find the most frequent shopper with a subsearch. Example 1 shows how to find the most frequent shopper without a subsearch. The following examples show why a subsearch is useful. Let's find the single most frequent shopper on the Buttercup Games online store, and what that shopper has purchased. Subsearches are enclosed in square brackets within a main search and are evaluated first. The result of the subsearch is then used as an argument to the primary, or outer, search. In this section you will learn how to correlate events by using subsearches.Ī subsearch is a search that is used to narrow down the set of events that you search on.
0 Comments
Leave a Reply. |