Hello People,
Thank you so much for the amazing help you have provided me with in my last post... I have one final struggle to tackle this month in splunk and it is with regards to "How to count events that retain the same ID or code of reference but can in time change values in a specefifiedl field" for this instances.. I work for a Hotel Company and a Booking reference f.i "YHDU-984" can have 4 differnet status values = BOOKED, PAID, TRAVELED, OK Whenever a custumer maked a reservacion the status is BOOKED, and they pay it out is PAID, whenever they traveled to the destination is TRAVELED and when they arrieved at our hotel is changed to OK... so a Booking reference may have all of these status values or only some of them... each new change in status will be recorded with the DATE_TIME and every record will also show the DESTINATION (city) and HOTEL_NAME.
It will be a lot more usefull to me that instead of counting by BOOKING_REF how manny events there are in the STATUS="OK" and so on.... ... I wanna be able to count the number of BOOKING_REF in each STATUS taking into account the very last STATUS each BOOKING_REF has currently, I'm sorry Im not the best with words so here is an example:
lest say I can obtain this tables:
BOOKING_REF | CLIENT | STATUS |
HYH89 | ADAM | BOOKED |
HD983 | BOB | BOOKED |
XUUE8 | CHARLES | BOOKED |
XKSIU8 | JAMES | BOOKED |
XPPP4 | DINA | BOOKED |
YHUO1 | TINA | BOOKED |
and when I look for STATUS PAID i get this
BOOKING_REF | CLIENT | STATUS |
HYH89 | ADAM | PAID |
HD983 | BOB | PAID |
XUUE8 | CHARLES | PAID |
XKSIU8 | JAMES | PAID |
and when I look for STATUS TRAVELED i get this
BOOKING_REF | CLIENT | STATUS |
HYH89 | ADAM | TRAVELED |
HD983 | BOB | TRAVELED |
and when I look for STATUS OK I get this
BOOKING_REF | CLIENT | STATUS |
HD983 | BOB | OK |
if I use the stats command to count each status I get something like this:
STATUS | count |
BOOKED | 6 |
PAID | 4 |
TRAVELED | 2 |
OK | 1 |
but for my Boss (which is not a friendly person... it is confusing to interpret) so If I was able to count by the very last event or in other words the "current" status my result should look something like this:
STATUS | count |
BOOKED | 2 |
PAID | 2 |
TRAVELED | 1 |
OK | 1 |
and this is because out of the fist Bookings I can now identify which custumer have traveled and yet not arrieved at out hotel..and I can also see that Only one custumer has made it in the hotel
thank you so much guys for your help..this will be the last time I will be bothering you with my posts this month I promise! Im sending you a lot of love
Kindly,
Cindy
| stats latest(STATUS) as STATUS by BOOKING_REF
| stats count by STATUS
| stats latest(STATUS) as STATUS by BOOKING_REF
| stats count by STATUS
10/10 Thank you so much!