Solved: How to get top 5 products for each day for 7 days?

nu_learner · ‎01-13-2023

Hello,
I am new to splunk. I need to get the top 5 products sold for each day, for the last 7 days. The products could be different each day, as shown in the example below.

	Day (X-Axis)
Top 5 Products (Y-Axis)	1	2	3	4	5
1	P1	PA	P4	AC	ZX
2	P2	PB	P5	AR	P1
3	P3	PC	PA	P5	AC
4	P4	P1	P1	P4	AR
5	P5	PD	AB	AX	AB

Is there a way to get it done? I tired the following but it gives me the same 5 products for all days and puts everything else in "OTHER" bucket:

[my search]
| table _time, Product
| timechart count(Product) byProduct WHERE max in top5

yuanliu · ‎01-13-2023

It kind of depends on how your sales number is obtained, i.e., what kind of data you have. Suppose you have a feed of each transaction in which one of the field is Product. You can easily do

| bin _time span=1d@d
| top 5 Product by _time
| eval date = strftime(_time, "%F")
| stats list(Product) by date
| transpose header_field=date
| fields - column

View solution in original post

nu_learner · ‎01-17-2023

Another example that helped me: https://community.splunk.com/t5/Splunk-Search/top10-for-each-span-in-a-time-chart/m-p/456597

yuanliu · ‎01-13-2023

It kind of depends on how your sales number is obtained, i.e., what kind of data you have. Suppose you have a feed of each transaction in which one of the field is Product. You can easily do

| bin _time span=1d@d
| top 5 Product by _time
| eval date = strftime(_time, "%F")
| stats list(Product) by date
| transpose header_field=date
| fields - column

How to get top 5 products for each day for 7 days?

table

timechart

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk