Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to calculate a value from 2 different sources?

kirthi_d
Engager
‎10-12-2019 12:17 PM

I am pretty new to splunk. It would be great if someone can help me with a search command. I have productId as one of fields in my index data. I added lookup from products.csv which has productId, product_name & price. Now I need a bar chart with top 5 most selling products. How to get the total price from count and price? My current search is as below:

index=* action="purchase" |lookup products productId as productId OUTPUT product_name price | top limit =5 product_name

The above query gives me count of purchase transactions by productId. How to get the total sale amount for each product. something like:
Product Name & Sale price (count by productId * price).
Also how to make each bar a different color. The below is not helping:
option name="charting.seriesColors">[0x12BF05,0xEAD619,0xBF2105,0xD71F93,0xC294B1]

Thanks in advance.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2019 04:41 PM

To get the total sale, first count the number of sales for each product then multiply that number by the price.

index=* action="purchase" |lookup products productId as productId OUTPUT product_name price 
| top limit =5 product_name
| stats count values(price) as price by product_name
| eval totalSale = count * price
| table product_name count price totalSale
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2019 04:41 PM

To get the total sale, first count the number of sales for each product then multiply that number by the price.

index=* action="purchase" |lookup products productId as productId OUTPUT product_name price 
| top limit =5 product_name
| stats count values(price) as price by product_name
| eval totalSale = count * price
| table product_name count price totalSale
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kirthi_d
Engager
‎10-12-2019 07:50 PM

Thanks. For some reason when I use top, it doesn't display price or totalSale. I removed top and replaced with sort and head 5. It is not the best way to do, but dont know why top is creating problem

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-13-2019 06:40 AM

top is a transforming command, similar to stats, meaning it only returns the fields explicitly named in the arguments. Usually, when top limit=5 foo is used, they really want sort 5 foo.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kirthi_d
Engager
‎10-13-2019 02:19 PM

got it. I included the fields and looks perfect now. Thanks much..

0 Karma
Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...