Solved: Re: Help with stats table output

adlireza · ‎09-28-2017

I have a dataset that can be represented as below:

Region=A State=1 City=a Product=Apple
Region=A State=1 City=b Product=Apple
Region=A State=1 City=c Product=Orange
Region=B State=1 City=d Product=Pineapple
Region=B State=2 City=e Product=Apple
Region=C State=1 City=f Product=Orange
Region=C State=2 City=g Product=Orange

How can I summarize by Region and State have a stats output table as below:

Region  |  State  | Apple  |  Orange  |  Pineapple
   A    |   1     |    2   |     0    |     0
   B    |   1     |    0   |     1    |     1
   B    |   2     |    1   |     0    |     0
   C    |   1     |    0   |     1    |     0
   C    |   2     |    0   |     1    |     0

HiroshiSatoh · ‎09-28-2017

Try this!

 (your search)   |stats 
count(eval(Product="Apple") as Apple,
count(eval(Product="Orange") as Orange,
count(eval(Product="Pineapple") as Pineapple, by Region,State

※Field extraction is required.
Region,State,Product

View solution in original post

HiroshiSatoh · ‎09-28-2017

Try this!

 (your search)   |stats 
count(eval(Product="Apple") as Apple,
count(eval(Product="Orange") as Orange,
count(eval(Product="Pineapple") as Pineapple, by Region,State

※Field extraction is required.
Region,State,Product

adlireza · ‎10-02-2017

It's missing a few round brackets, but this is the answer that helped me, thanks.

Help with stats table output

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!