I am attempting to perform a count/eval of the TransactionStatus=success across the following 3 sources for each Segment(0-4) for the purpose of a dashboard. I know that I could easily do 3 separate searches and have 3 different charts, but I don't really want to do that.
dst = index=dst, SegmentID(0-3),sourcetype=dst(only 1 possibility), TransactionStatus=sucess, TraceUID
mtl = index=mtl, NO Segment(All are assigned to Segment0), sourcetype=mtl(only 1 possibility), TransactionStatus=sucess, traceUID
aps = index=main, Segment(0-3), sourcetype=txn(38 possibilities total), TransactionStatus=sucess, TraceUID
Across all 3 sources there is 1 value that exists in all 3 sources and that is the TraceUID/traceUID field. I will dedup on this field
If I am reading you right, I think that you want the total count of successful TraceUID values in each segment.
I can do that with this query:
index IN ("dst", "mtl", "main") TransactionStatus="success" | eval SegmentID=coalesce(SegmentID,Segment,"0") | stats dc(TraceUID) as SuccessCount by SegmentID
I am needing to calculate all of the success case across the 3 sources for a specific Segment; however, the way to get to this data is different such all 3 have an index value, the only issue here is that 1 of the sources has multiple sourcetypes and I only need 1 specific source type so that sources index can't be used solely by itself. Also, the field Segment (which is what I need the calculation on) technically exist in 2 of sources even though the field name is different - SegmentID in one and just Segment in the other. The 3rd source does not have a Segment field because of the data in this source belongs only to Segment 0. I need to then do this calculation across all 4 of the Segments separately. So at the end I should have a calculation of success transaction across Segment 0,1,2,3 and across all 3 of the sources. Source #3, obviously will only have a calculation for Segment0 being that all of its transactions can only belong to Segment0 and no other.
In a nutshell a transaction comes into the system first at source1, then that transaction will move to source2 and then finally to source3. At the end of each source that transaction will have a status of either failure or success. The transaction ID that is used for a transaction will be the same in each of the 3 sources, so this will have to be dedup so that the success is only counted one and not 3 times.
Hope that this helps clarify things a little.
I see, so I am missing a condition on the sourcetype for index=main. I also see that I missed that TraceUID has two field names (TraceUID and traceUID), so I will account for that as well
It seems to me that the main problem that you are having is with the normalization of your data. If you could count on the fields that you want to use, you could do stats properly. That is why my answer mostly just normalizes your data (based on available info).
The coalesce will allow us to normalize SegmentID so that we can treat it the same in all records
says to use Sement ID if available, otherwise use Segment, and if neither of those exists in the record, assume that SegmentID is "0"
To add the extra condition on sourcetype, we can just use some compound conditions in the base query (I also renamed traceUID to normalize that field):
(index IN ("dst", "mtl") OR (index="main" sourcetype="txn")) TransactionStatus="success" | eval SegmentID=coalesce(SegmentID,Segment,"0") | rename traceUID as TraceUID | stats dc(TraceUID) as SuccessCount by SegmentID
This should result in results that look like
SuccessCount SegmentID 15 0 13 1 10 2 5 3
But I am thinking that you want to see something more. Since you note dedup on TraceUID, lets figure that you want those values in the results:
(index IN ("dst", "mtl") OR (index="main" sourcetype="txn")) TransactionStatus="success" | eval SegmentID=coalesce(SegmentID,Segment,"0") | rename traceUID as TraceUID | stats dc(TraceUID) as SuccessCount values(TraceUID) as UIDs by SegmentID