Solved: Using Search Tutorial data, how to search for the ...

hcheang · ‎11-25-2014

Hi, I'm going over the search tutorial and have a question regarding the stats command.

What I'm trying to find is to find best selling item, number of best selling item sold and total number of items sold by country.

I've managed to get the stats for both best selling item and total number of items sold but not the number of best selling item sold.

My search query is

buttercup*  price=* action=purchase|iplocation clientip|stats max(productId) as "Best Seller" count as "Sold Total" by Country

I've tried count(max(productId)) which doesn't seem to work.

Can I get help or any suggestion for which command to use to get a chart like

      Country            Best Seller       Sold           Sold Total
     Argentina            WC-SH-G04         3                11

Thanks in advance!

somesoni2 · ‎11-25-2014

Try this

buttercup*  price=* action=purchase|iplocation clientip | stats count by productId Country  | eventstats max(count) as max by Country | eval BestSeller=if(count=max,productId,null()) | stats values(BestSeller) as "Best Seller" , first(max) as Sold, sum(count) as "Sold Total" by Country

View solution in original post

somesoni2 · ‎11-25-2014

Try this

buttercup*  price=* action=purchase|iplocation clientip | stats count by productId Country  | eventstats max(count) as max by Country | eval BestSeller=if(count=max,productId,null()) | stats values(BestSeller) as "Best Seller" , first(max) as Sold, sum(count) as "Sold Total" by Country

sophy · ‎11-26-2014

This is a great example to add to the Search Tutorial. Thank you! 😄

Using Search Tutorial data, how to search for the total number of items sold, the best selling item, and number of the best selling item sold by country?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?

Buttercup Games: Further Dashboarding Techniques (Part 6)