https://community.splunk.com/t5/Getting-Data-In/Difficulty-in-determining-the-query-to-extract-a-dataset/m-p/699940#M115935 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272346">@Cleanhearty</a>&nbsp;,</P><P>check if the used fields (amount, gender, and category) are in the lookup and the name is exactly the same (field names are case sensitive).</P><P>then check the amount field format.</P><P>ciao.</P><P>Giuseppe</P> Tue, 24 Sep 2024 13:29:52 GMT gcusello 2024-09-24T13:29:52Z https://community.splunk.com/t5/Getting-Data-In/Difficulty-in-determining-the-query-to-extract-a-dataset/m-p/699494#M115885 <P>As a newbie I am currently working on a mini internship project which requires me to analyse a dataset using splunk. I have completed almost all but the last part of it which reads&nbsp;&nbsp;"gender that performed the most fraudulent activities and in what category". Basically im supposed to get the gender (F or M) that performed the most fraud in specifically in what category.&nbsp;The dataset which consists of a column of&nbsp; steps, customer, age,gender, Postcodeorigin, merchant, category,amount and fround from a file name fraud_report.csv . The file has already been uploaded to splunk.&nbsp; I am just stuck at the query part.</P> Thu, 19 Sep 2024 06:06:44 GMT https://community.splunk.com/t5/Getting-Data-In/Difficulty-in-determining-the-query-to-extract-a-dataset/m-p/699494#M115885 Cleanhearty 2024-09-19T06:06:44Z https://community.splunk.com/t5/Getting-Data-In/Difficulty-in-determining-the-query-to-extract-a-dataset/m-p/699497#M115886 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272346">@Cleanhearty</a>&nbsp;,</P><P>I suppose that you already ingested the csv file in a lookup or in an index.</P><P>If in a lookup you can define what you mean with "<SPAN>gender that performed&nbsp;the&nbsp;</SPAN><SPAN>most fraudulent activities and in what category", I suppose that you mean most fraudolent by amount,</SPAN></P><P><SPAN>so you could try something like this:</SPAN></P><LI-CODE lang="markup">| inputlookup fraud_report.csv | stats max(amount) AS amount BY gender category | sort -amount | head 10</LI-CODE><P>in this way, you have the top 10 categories by gender that have the greatest amount.</P><P>My hint is also to follow the Splunk Search Tutorial (<A href="https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial" target="_blank">https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial</A>) to learn how to run similar searches.</P><P>Ciao.</P><P>Giuseppe</P> Thu, 19 Sep 2024 06:30:06 GMT https://community.splunk.com/t5/Getting-Data-In/Difficulty-in-determining-the-query-to-extract-a-dataset/m-p/699497#M115886 gcusello 2024-09-19T06:30:06Z https://community.splunk.com/t5/Getting-Data-In/Difficulty-in-determining-the-query-to-extract-a-dataset/m-p/699939#M115934 <P>Thanks for the help. Unfortunately it didnt return any results(statistics(0)). That's weird.&nbsp;</P><P>PS: I replaced the file name with the origial.</P> Tue, 24 Sep 2024 13:13:11 GMT https://community.splunk.com/t5/Getting-Data-In/Difficulty-in-determining-the-query-to-extract-a-dataset/m-p/699939#M115934 Cleanhearty 2024-09-24T13:13:11Z https://community.splunk.com/t5/Getting-Data-In/Difficulty-in-determining-the-query-to-extract-a-dataset/m-p/699940#M115935 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/272346">@Cleanhearty</a>&nbsp;,</P><P>check if the used fields (amount, gender, and category) are in the lookup and the name is exactly the same (field names are case sensitive).</P><P>then check the amount field format.</P><P>ciao.</P><P>Giuseppe</P> Tue, 24 Sep 2024 13:29:52 GMT https://community.splunk.com/t5/Getting-Data-In/Difficulty-in-determining-the-query-to-extract-a-dataset/m-p/699940#M115935 gcusello 2024-09-24T13:29:52Z