Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count for same field but for non occurring values based on other field.

shravanikarale
Loves-to-Learn Lots
‎07-24-2020 01:55 AM

In below example I want only count of "a" as he has not paid till the end. And also the data entries are many which cannot be counted,below is only a small part of it. 
Count should be based on customer, only those customers count should be given which have not paid till the end and if paid once its previous unpaid should not be consider.  

Pending and paid invoices count gets change when invoices paid by customer
E.g. 31st Jan 2020 customer has not done payment so I am making entry for that invoice as pending so this count will display on pending invoices as 1 and invoices paid as 0 and once Customer has paid on feb 1st week then from pending invoices count will change back to 0 and paid invoices to 1

datecustomerpayment_status
01/31/2020aunpaid
01/31/2020bunpaid
01/31/2020cpaid
02/31/2020aunpaid
02/06/2020bpaid
02/26/2020cpaid
03/30/2020aunpaid
03/30/2020bpaid
03/30/2020cpaid

Any help is appreciated.

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎07-24-2020 02:17 AM 
| makeresults
| eval _raw="date	customer	payment_status
01/31/2020	a	unpaid
01/31/2020	b	unpaid
01/31/2020	c	paid
02/31/2020	a	unpaid
02/06/2020	b	paid
02/26/2020	c	paid
03/30/2020	a	unpaid
03/30/2020	b	paid
03/30/2020	c	paid"
| multikv forceheader=1 
| table date customer payment_status
| stats dc(payment_status) as flag count(eval(payment_status="unpaid")) as unpaid by customer
| where flag = 1 AND unpaid > 0
0 Karma
Reply

shravanikarale
Loves-to-Learn Lots
‎07-24-2020 02:41 AM

As I have mentioned that this in only a small part of my csv file. There are 300 entries I can't write 300 date customer in my query. Is there other way?

0 Karma
Reply

to4kawa
Ultra Champion
‎07-24-2020 03:19 AM

>other way.
why? Isn't  stats and where good enough?

0 Karma
Reply

shravanikarale
Loves-to-Learn Lots
‎07-24-2020 03:24 AM

They are but what I am saying is that i cant write for 300 entries. 

 

0 Karma
Reply

to4kawa
Ultra Champion
‎07-24-2020 03:33 AM

recommend:

your search
| stats dc(payment_status) as flag count(eval(payment_status="unpaid")) as unpaid by customer
| where flag = 1 AND unpaid > 0

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...