How to split count by product by another value?

maxmukimov · ‎05-03-2021

Hi, I have the following query:

| bin _time span=1d | stats count as ProductCount by applysourcetype, product, _time   

| where _time=relative_time(now(), "-d@d") or _time=relative_time(now(), "-8d@d")   

| eval when = if(_time=relative_time(now(), "-d@d"), "(Yesterday)", "(7 Days Ago)")  

| eval "Products Ordered {when}" = ProductCount    

| fields - _time ProductCount  when

| stats  values(*) as * by product , applysourcetype

and I'm getting following output:

How can make product filed one row for unique product?

s2_splunk · ‎05-03-2021

| mvexpand product

at the end of your search should do the trick. mvexpand docs here.

maxmukimov · ‎05-03-2021

Getting the same results when I added

| mvexpand product

ITWhisperer · ‎05-03-2021

| stats list(*) as * by product

maxmukimov · ‎05-04-2021

got this

ITWhisperer · ‎05-04-2021

One unique product per row - which is what you said. If this is not what you wanted, perhaps you can give an example of what you were expecting?

maxmukimov · ‎05-04-2021

From original query I’m getting something like this :

I want to get something like this:

ITWhisperer · ‎05-05-2021

The standard table view doesn't merge cells across rows. Using stats list(*) as * by product should at least group the fields into multi-value lists which is close to what you want. If you still want separate rows for the counts, with blank entries in the product column for subsequent rows for the same product, you could use some CSS to hide them. This is a little fiddly to do but possible.

How to split count by product by another value?

eval

fields

stats

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms