Solved: How to get all items after count and get a list of...

mabinn · ‎09-14-2018

Hi, what is the best way to get all items from a count? Let's say I have two columns. First column displays the items, second column displays how many were sold.

I want to create a third column that displays an array of receipt numbers according to items. Let's say that all receipts only had 1 item, so no duplication will happen.

items                            sold                                receipt_numbers
shampoo                        5                                     [123, 432, 654, 345, 664]
soap                                2                                     [112, 445]
razor                               1                                     [548]
cologne                           3                                     [765, 996, 273]

My current query is something like this

index=something source=xyz | dedup id | stats count(sold) by items

martin_mueller · ‎09-15-2018

If you want your stats to list all values of a field, tell it to: ... | stats count as sold, values(receipt_number) as receipt_numbers by items

View solution in original post

martin_mueller · ‎09-15-2018

If you want your stats to list all values of a field, tell it to: ... | stats count as sold, values(receipt_number) as receipt_numbers by items

mabinn · ‎09-14-2018

It doesn't need to be in array. I actually want to concat these receipt numbers later on using apendcols.

How to get all items after count and get a list of items in an array?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!