Splunk Search

get total results per client per item for the last 7 days

jdepp
Path Finder

I would like to create a panel that displays in a table a historical records of counts for the last 7 days. The totals would be per client per item which follows this json format:

  {"authorUrl":"michael_scooter","pubDate":"2014-04-30 11:27:49","clientId":"665",
  "itemSold":"((samsung TV))"}

So basically I would like to view the total counts of itemSold for each clientId for the last 7 days.Here is what i have now:

search sourcetype="itemsSold.newIndex.stats"| timechart count by itemSold

Thanks.

Tags (1)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

If with search

sourcetype="itemsSold.newIndex.stats" | table _time, clientId, itemSold

You get output like

_time                clientId     itemSold
2014-04-30 11:27:49    665     ((samsung TV)) 
2014-04-30 11:29:49    669     ((apple TV))        -- example
....
....

Updated Query

Try this

sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | bucket span=1d _time | stats count by _time, clientId,itemSold

OR

sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | stats count by clientId, itemSold

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

If with search

sourcetype="itemsSold.newIndex.stats" | table _time, clientId, itemSold

You get output like

_time                clientId     itemSold
2014-04-30 11:27:49    665     ((samsung TV)) 
2014-04-30 11:29:49    669     ((apple TV))        -- example
....
....

Updated Query

Try this

sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | bucket span=1d _time | stats count by _time, clientId,itemSold

OR

sourcetype="itemsSold.newIndex.stats" earliest=-7d@d | stats count by clientId, itemSold

jdepp
Path Finder

thanks got it.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Add the criteria in the base search. before first pipe.

e.g.
sourcetype="itemsSold.newIndex.stats" earliest=-7d@d clientId='665'| stats count by clientId, itemSold

0 Karma

jdepp
Path Finder

you have been extremely helpful and I don't want to push my luck here but unfortunately its almost there but not quite. I think I need to see total itemSold for each clientId over 7 days within its own panel. That would make more sense, so I just need to break it down per clientID; so how do I code the limit: clientId = '665'

0 Karma

somesoni2
SplunkTrust
SplunkTrust

My bad, try the updated answer.

0 Karma

jdepp
Path Finder

Thanks for replying. For some reason I am getting the following error:

Error in 'timechart' command: The argument 'itemSold' is invalid.

sourcetype="itemSold.newIndex.stats" earliest=-7d@d | timechart span=1d count by clientId, itemSold

I'm not sure about your search query:

mine just looks like this:

source="/itemSold.newIndex/tcp/xxxx6"

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...