What should I feed to my summary Index? and how Should I extract fields for status, Amount and ID

hrishi_deshpand — Wed, 20 Oct 2021 10:40:00 GMT

INFO | 2021-10-18 05:17 AM | BUSINESS RULE | Payload for ID#: 58916 with status Approved is published

Second Event

msg: INFO | 2021-10-14 10:38 PM | Message consumed: {"InputAmountToCredit":"22.67","CurrencyCode":"AUD","Buid":"1401","OrderNumber":"877118406","Cre ID":"58916"}

I want to have sum of InputAmountToCredit based on status . status can vary to different statuses and ID is common field for both the events (but it differs in key in both the events) How can I extact fields for status InputAmountToCredit and ID. I want to sum amount for each Id who is having same status and generate status wise report.

Also my Searches are slow and I want to implement summary index.

1. I am not sure if tomorrow i want to update my summary index will I be able to do so with new events?

2. How can I decide what should be part of summary index as right now I have the requirement with these two events only.

I am new to splunk so any pointers will help

Thanks for all the support.

Re: What should I feed to my summary Index? and how Should I extract fields for status, Amount and ID

somesoni2 — Wed, 20 Oct 2021 14:36:58 GMT

Give this a try

(base search to fetch event1) OR (base search to fetch event2) | rex "ID\#\:\s*(?<ID1>\d+) with status (?<Status>\w+)" | rex "ID\"\:\"(?< ID2>[^\"]+)" | rex "InputAmountToCredit\"\:\"(?<InputAmountToCredit>[^\"]+)" | eval ID=coalesce(ID1,ID2) | stats latest(Status) as Status values(InputAmountToCredit) as InputAmountToCredit by ID | where Status="Approved"

topic What should I feed to my summary Index? and how Should I extract fields for status, Amount and ID in Splunk Search

What should I feed to my summary Index? and how Should I extract fields for status, Amount and ID

Re: What should I feed to my summary Index? and how Should I extract fields for status, Amount and ID