Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count for same field but for non occurring values based on other field.

shravanikarale
Loves-to-Learn Lots
‎07-24-2020 01:55 AM

In below example I want only count of "a" as he has not paid till the end. And also the data entries are many which cannot be counted,below is only a small part of it. 
Count should be based on customer, only those customers count should be given which have not paid till the end and if paid once its previous unpaid should not be consider.  

Pending and paid invoices count gets change when invoices paid by customer
E.g. 31st Jan 2020 customer has not done payment so I am making entry for that invoice as pending so this count will display on pending invoices as 1 and invoices paid as 0 and once Customer has paid on feb 1st week then from pending invoices count will change back to 0 and paid invoices to 1

datecustomerpayment_status
01/31/2020aunpaid
01/31/2020bunpaid
01/31/2020cpaid
02/31/2020aunpaid
02/06/2020bpaid
02/26/2020cpaid
03/30/2020aunpaid
03/30/2020bpaid
03/30/2020cpaid

Any help is appreciated.

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎07-24-2020 02:17 AM 
| makeresults
| eval _raw="date	customer	payment_status
01/31/2020	a	unpaid
01/31/2020	b	unpaid
01/31/2020	c	paid
02/31/2020	a	unpaid
02/06/2020	b	paid
02/26/2020	c	paid
03/30/2020	a	unpaid
03/30/2020	b	paid
03/30/2020	c	paid"
| multikv forceheader=1 
| table date customer payment_status
| stats dc(payment_status) as flag count(eval(payment_status="unpaid")) as unpaid by customer
| where flag = 1 AND unpaid > 0
0 Karma
Reply

shravanikarale
Loves-to-Learn Lots
‎07-24-2020 02:41 AM

As I have mentioned that this in only a small part of my csv file. There are 300 entries I can't write 300 date customer in my query. Is there other way?

0 Karma
Reply

to4kawa
Ultra Champion
‎07-24-2020 03:19 AM

>other way.
why? Isn't  stats and where good enough?

0 Karma
Reply

shravanikarale
Loves-to-Learn Lots
‎07-24-2020 03:24 AM

They are but what I am saying is that i cant write for 300 entries. 

 

0 Karma
Reply

to4kawa
Ultra Champion
‎07-24-2020 03:33 AM

recommend:

your search
| stats dc(payment_status) as flag count(eval(payment_status="unpaid")) as unpaid by customer
| where flag = 1 AND unpaid > 0

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...