Hello,
my goal is to find and combine data from multiple source.
Here:
now my goal is to find, how many company wide product each department uses and group by DepartmentName, ProductName, and Count.
The department name is on the "employee_lookup" table along with employee name, department name. So when any employee clicks on a product, it is counted as a product use and logs the data into Splunk.
my Splunk query is as follows:
data = "global"
| lookup product_lookup productID OUTPUT ProductName
| lookup employee_lookup userID OUTPUT DepartmentName
| table ProductName, DepartmentName, UserID
that query does not work...
My goal is to find the total count of product usages by Department.
The resulting table should be like:
DepartmentName, Product, count
--------------------------------------------------
Dept_5, Product1234, 2000
Dept_5, Product333, 1434
Dept_5, Product633, 600
Dept_2, Product333, 2500
Dept_2, Product215, 2500
Dept_2, Product415, 1200
....
so basically group by department, product, count
any suggestions and recommendation would be very helpful. Thank you!
I had a typo and it works now.
However, couple more questions because I cannot do:
how do I do that?
your query
| stats count by DepartmentName, ProductName
If your log has both productID and userID field, your query will run.
If there aren't these, you should provide more details.