I have to find how many times a customer that has made a purchase has contacted the corporate line to complain. I can generate a table that shows me the customers that have made an actual purchase by ID, and also I can make a table of the customer that have called on the line to make a complaint.
The first table would look like this:
ID PRODUCT_BOUGHT
41545 x_98
1428 x_98
4856 x_91
8596 x_91
1254 x_96
and the second table would look like this:
ID CASE_NUMBER
41545 001
4856 002
4856 003
41545 004
1254 005
1254 006
The issue is that I need to count how many times each ID has called on the line and bring also the product bought and the case number received on the line. But I can only think of a multisearch in order to create the table but I can't seem to find any documentation on how to do the cross validation or even count and I feel like I'm hitting my head against a wall.
This is the multisearch that I am using:
| multisearch
[| search index="auxpik"
| search status="PAY.ok"
| fields ID PRODUCT_BOUGHT]
[|search index="auxpik"
| search in_calls="corp_cx_cases")
| fields ID CASE_NUMBER]
but since I am a Python user trying to learn Splunk I can't seem to find a way to obtain this table:
ID CALLS_ON_THE_LINE PRODUCT_AND_CASES
41545 2 x_98-001-004
4856 2 x_91-002-003
1254 2 x_96-005-006
1428 0 x_98
8596 0 x_91
Multisearch shouldn't be necessary. Try this
(index="auxpik" status="PAY.ok") OR (index="auxpik" in_calls="corp_cx_cases")
| fields ID PRODUCT_BOUGHT CASE_NUMBER
| stats values(*) as * by ID
If you really want to use multisearch then the stats command should produce the results you want.