Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Difficulty in determining the query to extract a dataset

Cleanhearty
New Member
‎09-18-2024 11:06 PM

As a newbie I am currently working on a mini internship project which requires me to analyse a dataset using splunk. I have completed almost all but the last part of it which reads  "gender that performed the most fraudulent activities and in what category". Basically im supposed to get the gender (F or M) that performed the most fraud in specifically in what category. The dataset which consists of a column of  steps, customer, age,gender, Postcodeorigin, merchant, category,amount and fround from a file name fraud_report.csv . The file has already been uploaded to splunk.  I am just stuck at the query part.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-18-2024 11:30 PM

Hi @Cleanhearty ,

I suppose that you already ingested the csv file in a lookup or in an index.

If in a lookup you can define what you mean with "gender that performed the most fraudulent activities and in what category", I suppose that you mean most fraudolent by amount,

so you could try something like this:

| inputlookup fraud_report.csv
| stats max(amount) AS amount BY gender category
| sort -amount 
| head 10

in this way, you have the top 10 categories by gender that have the greatest amount.

My hint is also to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial) to learn how to run similar searches.

Ciao.

Giuseppe

0 Karma
Reply

Cleanhearty
New Member
‎09-24-2024 06:13 AM

Thanks for the help. Unfortunately it didnt return any results(statistics(0)). That's weird. 

PS: I replaced the file name with the origial.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-24-2024 06:29 AM

Hi @Cleanhearty ,

check if the used fields (amount, gender, and category) are in the lookup and the name is exactly the same (field names are case sensitive).

then check the amount field format.

ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...