Splunk Search

get total results per client per item for the last 7 days

Path Finder

I would like to create a panel that displays in a table a historical records of counts for the last 7 days. The totals would be per client per item which follows this json format:

  {"authorUrl":"michael_scooter","pubDate":"2014-04-30 11:27:49","clientId":"665",
  "itemSold":"((samsung TV))"}

So basically I would like to view the total counts of itemSold for each clientId for the last 7 days.Here is what i have now:

search sourcetype="itemsSold.newIndex.stats"| timechart count by itemSold

Thanks.

Tags (1)
0 Karma
1 Solution

Revered Legend

If with search

sourcetype="itemsSold.newIndex.stats" | table _time, clientId, itemSold

You get output like

_time                clientId     itemSold
2014-04-30 11:27:49    665     ((samsung TV)) 
2014-04-30 11:29:49    669     ((apple TV))        -- example
....
....

Updated Query

Try this

sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | bucket span=1d _time | stats count by _time, clientId,itemSold

OR

sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | stats count by clientId, itemSold

View solution in original post

Revered Legend

If with search

sourcetype="itemsSold.newIndex.stats" | table _time, clientId, itemSold

You get output like

_time                clientId     itemSold
2014-04-30 11:27:49    665     ((samsung TV)) 
2014-04-30 11:29:49    669     ((apple TV))        -- example
....
....

Updated Query

Try this

sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | bucket span=1d _time | stats count by _time, clientId,itemSold

OR

sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | stats count by clientId, itemSold

View solution in original post

Path Finder

thanks got it.

0 Karma

Revered Legend

Add the criteria in the base search. before first pipe.

e.g.
sourcetype="itemsSold.newIndex.stats" earliest=-7d@d clientId='665'| stats count by clientId, itemSold

0 Karma

Path Finder

you have been extremely helpful and I don't want to push my luck here but unfortunately its almost there but not quite. I think I need to see total itemSold for each clientId over 7 days within its own panel. That would make more sense, so I just need to break it down per clientID; so how do I code the limit: clientId = '665'

0 Karma

Revered Legend

My bad, try the updated answer.

0 Karma

Path Finder

Thanks for replying. For some reason I am getting the following error:

Error in 'timechart' command: The argument 'itemSold' is invalid.

sourcetype="itemSold.newIndex.stats" earliest=-7d@d | timechart span=1d count by clientId, itemSold

I'm not sure about your search query:

mine just looks like this:

source="/itemSold.newIndex/tcp/xxxx6"

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!