Archive
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question
Solved! Jump to solution

How to combine two fields with eval ?

monipinni
Explorer
โ€Ž11-20-2019 01:19 PM

paymenttype RefunpaymentType

DEBIT DEBIT
GIFTCARD PGIFTCARD
ORIGINAL CREDITCARD
ORIGINAL DEBITCARD

I am trying to get output like this and also count of this combinations

Refund Count

DEBIT-DEBIT 100
GIFTCARD -PGIFTCARD 50
ORIGINAL-CREDITCARD 75
ORIGINAL-DEBITCARD 88

Can any one help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
โ€Ž11-20-2019 02:14 PM

Like this:

... | stats count AS Count BY paymenttype RefunpaymentType
| eval Refund = paymenttype . "-" . RefunpaymentType
| table Refund Count

View solution in original post

0 Karma
Reply
Solved! Jump to solution

siddharthkhatsu
Explorer
โ€Ž11-21-2019 05:22 AM

| search "body.refundTenderType"=*
| search "body.refundTenders{}.paymentType"=*
| rename body.refundTenderType as "RefundTender"
| rename body.refundTenders{}.paymentType as "RefundTenderPaymentType"
| stats count AS Count BY RefundTender RefundTenderPaymentType, body.orderNumber add this here
| eval Refund = RefundTender . "-" . RefundTenderPaymentType
| table Refund , body.orderNumber
| chart count by Refund

Try this if it works

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
โ€Ž11-20-2019 02:14 PM

Like this:

... | stats count AS Count BY paymenttype RefunpaymentType
| eval Refund = paymenttype . "-" . RefunpaymentType
| table Refund Count

View solution in original post

0 Karma
Reply
Solved! Jump to solution

monipinni
Explorer
โ€Ž11-20-2019 06:35 PM

@woodcock : tried this search i got results but count is displaying is 1 instead of accurate count values

| search "body.refundTenderType"=* | search "body.refundTenders{}.paymentType"=* | rename body.refundTenderType as "RefundTender" | rename body.refundTenders{}.paymentType as "RefundTenderPaymentType" | stats count AS Count BY RefundTender RefundTenderPaymentType | eval Refund = RefundTender . "-" . RefundTenderPaymentType | table Refund , body.orderNumber | chart count by Refund

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
โ€Ž11-20-2019 07:26 PM

1 extra step that is not in my answer; do this:

... | search "body.refundTenderType"=* AND "body.refundTenders{}.paymentType"=* 
| rename body.refundTenderType as "RefundTender", body.refundTenders{}.paymentType as "RefundTenderPaymentType" 
| stats count AS Count BY RefundTender RefundTenderPaymentType 
| eval Refund = RefundTender . "-" . RefundTenderPaymentType 
| table Refund Count
0 Karma
Reply
Solved! Jump to solution

mayurr98
SplunkTrust
SplunkTrust
โ€Ž11-20-2019 01:30 PM

try this:

|  eval field=paymenttype+"-"+RefunpaymentType | stats count by field
0 Karma
Reply