Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: get total results per client per item for the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would like to create a panel that displays in a table a historical records of counts for the last 7 days. The totals would be per client per item which follows this json format:
{"authorUrl":"michael_scooter","pubDate":"2014-04-30 11:27:49","clientId":"665",
"itemSold":"((samsung TV))"}
So basically I would like to view the total counts of itemSold for each clientId for the last 7 days.Here is what i have now:
search sourcetype="itemsSold.newIndex.stats"| timechart count by itemSold
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If with search
sourcetype="itemsSold.newIndex.stats" | table _time, clientId, itemSold
You get output like
_time clientId itemSold
2014-04-30 11:27:49 665 ((samsung TV))
2014-04-30 11:29:49 669 ((apple TV)) -- example
....
....
Updated Query
Try this
sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | bucket span=1d _time | stats count by _time, clientId,itemSold
OR
sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | stats count by clientId, itemSold
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If with search
sourcetype="itemsSold.newIndex.stats" | table _time, clientId, itemSold
You get output like
_time clientId itemSold
2014-04-30 11:27:49 665 ((samsung TV))
2014-04-30 11:29:49 669 ((apple TV)) -- example
....
....
Updated Query
Try this
sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | bucket span=1d _time | stats count by _time, clientId,itemSold
OR
sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | stats count by clientId, itemSold
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks got it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add the criteria in the base search. before first pipe.
e.g.
sourcetype="itemsSold.newIndex.stats" earliest=-7d@d clientId='665'| stats count by clientId, itemSold
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you have been extremely helpful and I don't want to push my luck here but unfortunately its almost there but not quite. I think I need to see total itemSold for each clientId over 7 days within its own panel. That would make more sense, so I just need to break it down per clientID; so how do I code the limit: clientId = '665'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My bad, try the updated answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for replying. For some reason I am getting the following error:
Error in 'timechart' command: The argument 'itemSold' is invalid.
sourcetype="itemSold.newIndex.stats" earliest=-7d@d | timechart span=1d count by clientId, itemSold
I'm not sure about your search query:
mine just looks like this:
source="/itemSold.newIndex/tcp/xxxx6"
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
