The performance of this subsearch depends on how many distinct IP addresses match status=200 AND action=purchase. If you change the time range, you might see different results because the top purchasing customer will be different. These results should match the result of the two searches in Example 1, if you run it on the same time range. Sourcetype=access_* status=200 action=purchase | stats count, distinct_count(productId), values(productId) by clientipīecause the top command returns the count and percent fields, the table command is used to keep only the clientip value.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |