Dashboards & Visualizations

Stash graph with time intervals.

sandeepmakkena
Contributor

{"dtm":"2019-09-04 07:17:39.129 PDT", "logger":".WEB_ORDER_RELEASE", "app":{"a":"OrderBuilderService","dc":"rnodc1","e":"all.test.ce03","h":"rn-aost-c03-lapp17.rno.com","p":"5328","ptn":"AMR","r":"5df90752-abc0-4a05-bf35-f1484f5102ea"}, "msg":{"data":{"cartId":"00000000-00000000-d000-000078669e67","casId":"c2265eae-4db0-403c-a682-0efd25bc1e76","clientSubType":"web.common","clientType":"web","cosId":"1b4b4c51-5c95-4172-ad59-b89a6b2ce3de","deliveryGroup":"SINGLE_ADDRESS_SHIP_PARTIAL","features":["crd","verizonInstallments"],"fraudDecision":"NF","lineItems":[{"commitCode":"0","deliveryDate":"Tomorrow","deliveryType":"STH","partNumber":"MT312LL/A","product":"iPhone XR 64GB White","qty":"5","resolvedDate":"Tomorrow","shipMethodCode":"SO"}],"ops.response":"SUCCEEDED","orderType":"order","payments":["CARD"],"pssId":"W6474e26fbfd74dadb7e240350adb9c20","remoteHost":"12.11.11.111","storeFront":{"channel":"common.internet","formatCode":"common","geo":"w.ar.uss","language":"en-us","segment":"consumer","storeFrontId":"10078"},"webOrderNumber":"W7726473007"},"headerData":{"channel":"common.internet","dssId":"22079241-ac7d-4496-8b9b-e5624b6792c0","format":"common","geo":"w.ar.uss","hashedPersonId":"fGeEFnkTSPfUgzcrbTHNYH31lWfY50g2MEAwXapV/1Q=","language":"en-us","mileStoneId":"ORDER_RELEASE","segment":"consumer","storefrontId":"10078"}}}

We have mileStoneID as Create_Cart, Checkout, Create_Checkout, Web_order_create and Order_Release.

I have a very interesting requirement, where I need show count of pddID by mileStoneID with a stash intervals < 1min 1min-3mins 3-5mins >5mins . Let say pddID = 12345687 is in mileStoneId Web_order_create and it's been in that mileStoneId for 2mins, it should fall in the count bucket of create and stash interval of 1min-3mins and pddID = 12345687 should not be included in another mileStoneId count.

Please feel free to ask any questions,Thanks for your time.

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

I think you'll need something like the following

<base search>
| stats latest(mileStoneId) as mileStoneId, latest(_time) as _time by pddID
| eval stash_interval=now()-_time
| eval interval_bucket=case(stash_interval<60,"< 1min", stash_interval<180,"1-3min", stash_interval<300,"3-5min",1==1,">5mins")`
| stats count by interval_bucket, mileStoneId

First, get all the data you need as part of your base search. Then get the latest mileStoneID and _time for each pddID.
Assuming that the _time of the event is correct, you could calculate the how long it has been in that state by doing eval stash_interval=now()-_time .
Next, you can calculate what interval "bucket" you want to put it in, with eval interval_bucket=case(stash_interval<60,"< 1min", stash_interval<180,"1-3min", stash_interval<300,"3-5min",1==1,">5mins")

Once you have that data, you can do a stats count by mileStoneId, interval bucket, and you should end up with the table you are after.

Good luck!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...