Splunk Search

How to search the item name with max number of items sold per hour?

th1agarajan
Path Finder

I need the item name and no of items sold based on max(itemSold) per hour

TimeItemNo Of ItemsSold
5:02xxx5
5:05yyy25
5:07zzz500
6:03yyy200
6:07zzz100
6:28xxx230

Expected result






TimeItemNo Of ItemsSold
5:00zzz500
6:00xxx230

MySearch


index=mystore* sourcetype=mystore source=mystore-APP host="mystore7540" | bucket span=1h _time | stats max(itemSold) by _time | sort _time

The above search works perfectly but i am getting only two fields in result i.e. Time and max(itemsSold). But i need the item name as well.

It tried something like this but it didn't work

index=mystore* sourcetype=mystore source=mystore-APP host="mystore7540" | bucket span=1h _time | stats max(itemSold) by _time | sort _time | fields item

Can someone help me on this.

Tags (4)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Your approach with bucket | stats is correct, it just lacks one more grouping field and a bit of postprocessing:

  base search | bucket span=1h _time | stats sum(itemSold) as sum by _time item
| eventstats max(sum) as max by _time | where max==sum | fields - max

Note, in the event of two items having the same sum per hour you will get two entries for that hour.

View solution in original post

martin_mueller
SplunkTrust
SplunkTrust

Your approach with bucket | stats is correct, it just lacks one more grouping field and a bit of postprocessing:

  base search | bucket span=1h _time | stats sum(itemSold) as sum by _time item
| eventstats max(sum) as max by _time | where max==sum | fields - max

Note, in the event of two items having the same sum per hour you will get two entries for that hour.

Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...