https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465449#M131135 <P>@woodcock I tried to do that, but it also doesn't work: Error in 'where' command: The expression is malformed. A comparison term is missing.<BR /> I have 600 000 events/transactions (and at least 100 000 different customers) and I have to search for all who satisfy the condition (all transactions of the current day whose amount is higher than the average transaction amount for this customer for the previous month), not one by one (NOT specifying exact customer and then searching only for him).</P> Sun, 15 Dec 2019 12:38:28 GMT dorismustovic 2019-12-15T12:38:28Z https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465446#M131132 <P>Hi all,</P> <P>I have a bank transaction XML log with DATE, CC, AMOUNT. I need to show all transactions of the current day whose amount is higher than the average transaction amount for this customer for the previous month.<BR /> Here is the log example:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8087iBC6C4900497C0618/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>I found one similar topic and tried this so far, but it doesn't work:</P> <PRE><CODE> eval epochtime=strptime(DATE, "%d%m%Y") | where epochtime=relative_time(epochtime, "-1mon@mon")&lt;=epochtime| eval date=strftime(epochtime, "%d-%m-%Y") |eval cardmask=substr(CC, 0,4)+"******" | eval cardmask1=substr(CC, 11,12) | eval mask=cardmask+cardmask1| stats sum(AMOUNT) as TodaySum by mask | appendcols [ search sourcetype="..." |xmlkv | eval epochtime=strptime(Date, "%d%m%y") | where epochtime=relative_time(epochtime, "@d")&lt;=epochtime AND relative_time(epochtime, "-1mon@mon")&lt;=epochtime | eval date=strftime(epochtime, "%d-%m-%Y") |eval cardmask=substr(CC, 0,4)+"******" | eval cardmask1=substr(CC, 11,12) | eval mask=cardmask+cardmask1| stats avg(AMOUNT) as LastMonthAvg by mask ] eval alert=if(TodaySum &gt; LastMonthAvg, "OK","NOK") </CODE></PRE> <P>Please, I need help, got no more ideas.</P> <P>Thank you <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 12 Dec 2019 21:49:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465446#M131132 dorismustovic 2019-12-12T21:49:58Z https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465447#M131133 <PRE><CODE>| makeresults | eval _raw="&lt;DATE&gt;11122019&lt;/DATE&gt; &lt;TIME&gt;000031&lt;/TIME&gt; &lt;CC&gt;2615710116889328&lt;/CC&gt; &lt;AMOUNT&gt;14972.19&lt;/AMOUNT&gt;" | appendpipe [| eval _raw="&lt;DATE&gt;10122019&lt;/DATE&gt; &lt;TIME&gt;000031&lt;/TIME&gt; &lt;CC&gt;2615710116889328&lt;/CC&gt; &lt;AMOUNT&gt;14972.19&lt;/AMOUNT&gt;"] | appendpipe [| eval _raw="&lt;DATE&gt;10112019&lt;/DATE&gt; &lt;TIME&gt;000031&lt;/TIME&gt; &lt;CC&gt;2615710116889328&lt;/CC&gt; &lt;AMOUNT&gt;14972.19&lt;/AMOUNT&gt;"] | appendpipe [| eval _raw="&lt;DATE&gt;09112019&lt;/DATE&gt; &lt;TIME&gt;000031&lt;/TIME&gt; &lt;CC&gt;2615710116889328&lt;/CC&gt; &lt;AMOUNT&gt;14972.19&lt;/AMOUNT&gt;"] `comment("the logic is blow")` | xmlkv | eval epochtime=strptime(DATE, "%d%m%Y") | eval Month_date=tonumber(strftime(epochtime,"%m")) | eval cardmask=substr(CC, 0,4)+"******" | eval cardmask1=substr(CC, 11,12) | eval mask=cardmask+cardmask1 | eventstats sum(AMOUNT) as TodaySum by mask epochtime | eventstats avg(TodaySum) as Month_avg by mask Month_date | table epochtime mask TodaySum Month_avg Month_date | rename epochtime as _time | eventstats values(eval(if(tonumber(strftime(now(),"%m")) -1 == Month_date,Month_avg,NULL))) as prev_Mon_avg by mask </CODE></PRE> <P>It wasn't actual data, so I could only do this.<BR /> please try with <CODE>earliest=-1month@month</CODE> and your search.</P> Sat, 14 Dec 2019 04:47:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465447#M131133 to4kawa 2019-12-14T04:47:56Z https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465448#M131134 <P>First of all, FIX YOUR TIMESTAMP SETTINGS so that <CODE>_time</CODE> is correct, then do this:</P> <PRE><CODE>index=Myindex sourcetype="Mysourcetype" earliest=@d latest=now |eval cardmask=substr(CC, 0,4) . "**" | eval cardmask1=substr(CC, 11,12) | eval maskCC=cardmask+cardmask1 | eval AVG = [search index=Myindex sourcetype="Mysourcetype" earliest=-1mon@mon latest=@mon | stats avg(AMOUNT) as avg | return $avg ] | where AMOUNT &gt; AVG | table * </CODE></PRE> Sat, 14 Dec 2019 18:13:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465448#M131134 woodcock 2019-12-14T18:13:39Z https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465449#M131135 <P>@woodcock I tried to do that, but it also doesn't work: Error in 'where' command: The expression is malformed. A comparison term is missing.<BR /> I have 600 000 events/transactions (and at least 100 000 different customers) and I have to search for all who satisfy the condition (all transactions of the current day whose amount is higher than the average transaction amount for this customer for the previous month), not one by one (NOT specifying exact customer and then searching only for him).</P> Sun, 15 Dec 2019 12:38:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465449#M131135 dorismustovic 2019-12-15T12:38:28Z https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465450#M131136 <P>Actually it worked with this one:</P> <P>index=Myindex sourcetype="Mysourcetype" earliest=@d latest=now |eval cardmask=substr(CC, 0,4)+"******" | eval cardmask1=substr(CC, 11,12) | eval maskCC=cardmask+cardmask1| where AMOUNT&gt; [search index=Myindex sourcetype="Mysourcetype" earliest=-1mon@mon latest=@mon | stats avg(AMOUNT) as avg | return $avg ] | table *</P> <P>It works perfectly, but can You please tell me how to show average in my table also (now it shows maskCC and current day AMOUNT, but I would like to show last month average also)? </P> <P>Thank You in advance <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Sun, 15 Dec 2019 14:01:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465450#M131136 dorismustovic 2019-12-15T14:01:43Z https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465451#M131137 <P>See updated answer above.</P> Sun, 15 Dec 2019 15:22:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-show-all-current-day-transactions-whose-amount-is-higher/m-p/465451#M131137 woodcock 2019-12-15T15:22:01Z