Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to build a table to where the rows are results from previous field operation about common and uncommon values

andres91302
Communicator
‎03-27-2021 09:32 PM
Hello my dear splunkers I hope you are doing very well.. I would REALLY be so thankful if u can help me put with the following.... Im trying to create a table where the rows are the results from count of some values that I need.. first I will have to search in 3 differentent indexes and then I will have to create this table: fields common to all = ID. the other field is type or product bought A B or C I need to put in a table by month of year the total amount of IDS that bought only product A, and the total amount of product that bought A & B (that means they did not buy C at all) and the total IDS that bought (B & C ) meaning they didnt buy any A at all and finally the IDS that didnot buy anything at all like this: Category ids total Only A 58 (A & B) 15 Nothing at all 254 THANK YOU SO SO MUCH I TRULLY REALLY MEAN IT
Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-28-2021 12:30 AM

Splunk is a tool that works really well with data. Please can you provide some real sample data and perhaps the queries you have so far?

0 Karma
Reply

andres91302
Communicator
‎03-28-2021 08:02 AM

Hello! thank you so much for trying to help me out I am truly greateful for that.. this is the data I'm working with

| multisearch
[|search index="products_sold" AND productId=A AND ID_INFO=* | IDA=ID_INFO]
[|search index="products_sold" AND productId=B AND ID_INFO=* | IDB=ID_INFO]
[|search index="products_sold" AND productId=C  AND ID_INFO=* | IDC=ID_INFO]
| fields IDA IDB IDC
# IDA are the people who bought product A, IDB bought product B , IDC bought product C 
let's say that for yesterday I have the following

IDA= 11, 10,12, 78, 89,13
IDB= 11, 10, 45,13
IDC= 11, 10, 25

I want to be able to get this table :

CategoryTotal IDS
Only A3
Only B1
only C1
A & B3
B & C2
C & A2
A, B, C2

 

Only A = 3 because the IDS (12, 78, 89) only bought during that time product A
A,B,C = 2 because the IDS (10,11) boought produts A B and C during this time

I hope  this can ilustrate what I am trying to achive and I can not stress enough how much you guy's help means to me THANK YOU SO SO MUCH to anyone that can help me

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-28-2021 11:12 PM 
| multisearch
[|search index="products_sold" AND productId=A AND ID_INFO=*]
[|search index="products_sold" AND productId=B AND ID_INFO=*]
[|search index="products_sold" AND productId=C AND ID_INFO=*]
| stats values(productId) as Category by ID_INFO
| eval Category=mvjoin(Category,",")
| stats count as "Total IDS" by Category
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...