Databases Reference
In-Depth Information
Combining subsearches with transaction
Let's put what we learned about subsearches together with transactions. Let's
imagine that
q=1
represents a particular entry point into our site, perhaps a link
from an advertisement. We can use subsearch to find users that clicked on the
advertisement, then use
transaction
to determine how long these users stayed
on our site.
To do this, first we need to locate the sessions initiated from this link. The search
can be as simple as:
sourcetype="impl_splunk_web" q=1
This will return events like:
2012-04-27T07:13:19 user=user1 GET /foo?q=1 uid=NDQ5NjIzNw
In our fictitious logs, the field
uid
represents a session ID. Let's use
stats
to
return one row per unique
uid
:
sourcetype="impl_splunk_web" q=1
| stats count by uid
This will render a table like this (the first 10 rows are shown):
We need to add one more command,
fields
, to limit the fields that come out
of our subsearch:
sourcetype="impl_splunk_web" q=1
| stats count by uid
| fields uid
Search WWH ::
Custom Search