- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to combine two fields with eval ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
paymenttype RefunpaymentType
DEBIT DEBIT
GIFTCARD PGIFTCARD
ORIGINAL CREDITCARD
ORIGINAL DEBITCARD
I am trying to get output like this and also count of this combinations
Refund Count
DEBIT-DEBIT 100
GIFTCARD -PGIFTCARD 50
ORIGINAL-CREDITCARD 75
ORIGINAL-DEBITCARD 88
Can any one help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | stats count AS Count BY paymenttype RefunpaymentType
| eval Refund = paymenttype . "-" . RefunpaymentType
| table Refund Count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| search "body.refundTenderType"=*
| search "body.refundTenders{}.paymentType"=*
| rename body.refundTenderType as "RefundTender"
| rename body.refundTenders{}.paymentType as "RefundTenderPaymentType"
| stats count AS Count BY RefundTender RefundTenderPaymentType, body.orderNumber add this here
| eval Refund = RefundTender . "-" . RefundTenderPaymentType
| table Refund , body.orderNumber
| chart count by Refund
Try this if it works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | stats count AS Count BY paymenttype RefunpaymentType
| eval Refund = paymenttype . "-" . RefunpaymentType
| table Refund Count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock : tried this search i got results but count is displaying is 1 instead of accurate count values
| search "body.refundTenderType"=* | search "body.refundTenders{}.paymentType"=* | rename body.refundTenderType as "RefundTender" | rename body.refundTenders{}.paymentType as "RefundTenderPaymentType" | stats count AS Count BY RefundTender RefundTenderPaymentType | eval Refund = RefundTender . "-" . RefundTenderPaymentType | table Refund , body.orderNumber | chart count by Refund
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1 extra step that is not in my answer; do this:
... | search "body.refundTenderType"=* AND "body.refundTenders{}.paymentType"=*
| rename body.refundTenderType as "RefundTender", body.refundTenders{}.paymentType as "RefundTenderPaymentType"
| stats count AS Count BY RefundTender RefundTenderPaymentType
| eval Refund = RefundTender . "-" . RefundTenderPaymentType
| table Refund Count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
| eval field=paymenttype+"-"+RefunpaymentType | stats count by field
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
