Solved: How to get all items after count and get a list of...

mabinn · ‎09-14-2018

Hi, what is the best way to get all items from a count? Let's say I have two columns. First column displays the items, second column displays how many were sold.

I want to create a third column that displays an array of receipt numbers according to items. Let's say that all receipts only had 1 item, so no duplication will happen.

items                            sold                                receipt_numbers
shampoo                        5                                     [123, 432, 654, 345, 664]
soap                                2                                     [112, 445]
razor                               1                                     [548]
cologne                           3                                     [765, 996, 273]

My current query is something like this

index=something source=xyz | dedup id | stats count(sold) by items

martin_mueller · ‎09-15-2018

If you want your stats to list all values of a field, tell it to: ... | stats count as sold, values(receipt_number) as receipt_numbers by items

View solution in original post

martin_mueller · ‎09-15-2018

If you want your stats to list all values of a field, tell it to: ... | stats count as sold, values(receipt_number) as receipt_numbers by items

mabinn · ‎09-14-2018

It doesn't need to be in array. I actually want to concat these receipt numbers later on using apendcols.

How to get all items after count and get a list of items in an array?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms