I'm using the Splunk sample tutorial data and I want to figure out how to find the best selling and worst selling product by a specific product_name and country. Here is my current search:
index="tutorial" sourcetype="access_combined_wcookie" "action=purchase"
| iplocation clientip
| eventstats count as units_sold by product_name Country
However, if I just do a min and max in the next stats command I don't really get the associated product_name or I don't get the Country as well. My expected result is:
Country | Best Selling | Worst Selling |
United States | Product1 | Product6 |
Would something like this work?
index="tutorial" sourcetype="access_combined_wcookie" "action=purchase"
| iplocation clientip
| stats count as units_sold by product_name Country
| sort Country units_sold
| stats first(product_name) as worse_selling last(product_name) as best_selling by Country
Would something like this work?
index="tutorial" sourcetype="access_combined_wcookie" "action=purchase"
| iplocation clientip
| stats count as units_sold by product_name Country
| sort Country units_sold
| stats first(product_name) as worse_selling last(product_name) as best_selling by Country
I'm an idiot. I didn't even think about first and last. I got tunnel vision on the units_sold. TY