Solved: How to get top 5 products for each day for 7 days?

nu_learner · ‎01-13-2023

Hello,
I am new to splunk. I need to get the top 5 products sold for each day, for the last 7 days. The products could be different each day, as shown in the example below.

	Day (X-Axis)
Top 5 Products (Y-Axis)	1	2	3	4	5
1	P1	PA	P4	AC	ZX
2	P2	PB	P5	AR	P1
3	P3	PC	PA	P5	AC
4	P4	P1	P1	P4	AR
5	P5	PD	AB	AX	AB

Is there a way to get it done? I tired the following but it gives me the same 5 products for all days and puts everything else in "OTHER" bucket:

[my search]
| table _time, Product
| timechart count(Product) byProduct WHERE max in top5

yuanliu · ‎01-13-2023

It kind of depends on how your sales number is obtained, i.e., what kind of data you have. Suppose you have a feed of each transaction in which one of the field is Product. You can easily do

| bin _time span=1d@d
| top 5 Product by _time
| eval date = strftime(_time, "%F")
| stats list(Product) by date
| transpose header_field=date
| fields - column

View solution in original post

nu_learner · ‎01-17-2023

Another example that helped me: https://community.splunk.com/t5/Splunk-Search/top10-for-each-span-in-a-time-chart/m-p/456597

yuanliu · ‎01-13-2023

It kind of depends on how your sales number is obtained, i.e., what kind of data you have. Suppose you have a feed of each transaction in which one of the field is Product. You can easily do

| bin _time span=1d@d
| top 5 Product by _time
| eval date = strftime(_time, "%F")
| stats list(Product) by date
| transpose header_field=date
| fields - column

How to get top 5 products for each day for 7 days?

table

timechart

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?