Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Count for same field but for non occurring values based on other field.

shravanikarale
Loves-to-Learn Lots
‎07-24-2020 01:55 AM

In below example I want only count of "a" as he has not paid till the end. And also the data entries are many which cannot be counted,below is only a small part of it. 
Count should be based on customer, only those customers count should be given which have not paid till the end and if paid once its previous unpaid should not be consider.  

Pending and paid invoices count gets change when invoices paid by customer
E.g. 31st Jan 2020 customer has not done payment so I am making entry for that invoice as pending so this count will display on pending invoices as 1 and invoices paid as 0 and once Customer has paid on feb 1st week then from pending invoices count will change back to 0 and paid invoices to 1

datecustomerpayment_status
01/31/2020aunpaid
01/31/2020bunpaid
01/31/2020cpaid
02/31/2020aunpaid
02/06/2020bpaid
02/26/2020cpaid
03/30/2020aunpaid
03/30/2020bpaid
03/30/2020cpaid

Any help is appreciated.

Labels (1)
Labels
0 Karma
Reply

to4kawa
Ultra Champion
‎07-24-2020 02:17 AM 
| makeresults
| eval _raw="date	customer	payment_status
01/31/2020	a	unpaid
01/31/2020	b	unpaid
01/31/2020	c	paid
02/31/2020	a	unpaid
02/06/2020	b	paid
02/26/2020	c	paid
03/30/2020	a	unpaid
03/30/2020	b	paid
03/30/2020	c	paid"
| multikv forceheader=1 
| table date customer payment_status
| stats dc(payment_status) as flag count(eval(payment_status="unpaid")) as unpaid by customer
| where flag = 1 AND unpaid > 0
0 Karma
Reply

shravanikarale
Loves-to-Learn Lots
‎07-24-2020 02:41 AM

As I have mentioned that this in only a small part of my csv file. There are 300 entries I can't write 300 date customer in my query. Is there other way?

0 Karma
Reply

to4kawa
Ultra Champion
‎07-24-2020 03:19 AM

>other way.
why? Isn't  stats and where good enough?

0 Karma
Reply

shravanikarale
Loves-to-Learn Lots
‎07-24-2020 03:24 AM

They are but what I am saying is that i cant write for 300 entries. 

 

0 Karma
Reply

to4kawa
Ultra Champion
‎07-24-2020 03:33 AM

recommend:

your search
| stats dc(payment_status) as flag count(eval(payment_status="unpaid")) as unpaid by customer
| where flag = 1 AND unpaid > 0

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...