Splunk Search

How to get top 5 products for each day for 7 days?

nu_learner
Explorer

Hello,
I am new to splunk. I need to get the top 5 products sold for each day, for the last 7 days. The products could be different each day, as shown in the example below.

  Day (X-Axis)
Top 5 Products (Y-Axis) 1 2 3 4 5
1 P1 PA P4 AC ZX
2 P2 PB P5 AR P1
3 P3  PC PA P5 AC
4 P4 P1 P1 P4 AR
5 P5 PD AB AX AB


Is there a way to get it done? I tired the following but it gives me the same 5 products for all days and puts everything else in "OTHER" bucket:

[my search]
| table _time, Product
| timechart count(Product) byProduct WHERE max in top5

Labels (2)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

It kind of depends on how your sales number is obtained, i.e., what kind of data you have.  Suppose you have a feed of each transaction in which one of the field is Product.  You can easily do

| bin _time span=1d@d
| top 5 Product by _time
| eval date = strftime(_time, "%F")
| stats list(Product) by date
| transpose header_field=date
| fields - column

View solution in original post

Tags (1)

nu_learner
Explorer
0 Karma

yuanliu
SplunkTrust
SplunkTrust

It kind of depends on how your sales number is obtained, i.e., what kind of data you have.  Suppose you have a feed of each transaction in which one of the field is Product.  You can easily do

| bin _time span=1d@d
| top 5 Product by _time
| eval date = strftime(_time, "%F")
| stats list(Product) by date
| transpose header_field=date
| fields - column
Tags (1)
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...