Re: Field extraction.

sandeepmakkena · ‎09-11-2019

I have a raw event like this for each order, if a user buys two products of different units how can I tie each product to a specific quantity.

Items: [ [-]
{ [-]
commitCode: 2

deliveryType:

partNumber: P123
product: 3 Wireless Phone

promos: [ [-]
Auto dependency

]

qty: 10
resolvedDate: 04/04/04
shipMethodCode: A8
}

{ [-]
commitCode: 2

deliveryType: th
partNumber: P345

product: Pen

promos: [ [+]
]

qty: 1

resolvedDate: 04//04/04。

shipMethodCode: A8
}

I want to calculate the quantity of each product, but when I extracted qty and do stats count by PartNumber. It is giving incorrect events. Can someone help me how to work a way around that.
Thanks for your time.

poete · ‎09-11-2019

Hello @sandeepmakkena,

here is the way to go :

| makeresults 
| eval _raw="{\"Items\": [ {\"commitCode\": 2, \"deliveryType\":\"\",\"partNumber\": \"P123\",\"product\": \"3 Wireless Phone\",\"promos\": [ \"Auto dependency\"], \"qty\": 10,\"resolvedDate\": \"04/04/04\", \"shipMethodCode\": \"A8\"},
{ \"commitCode\": 2, \"deliveryType\": \"th\", \"partNumber\": \"P345\",\"product\": \"Pen\",\"promos\": [],\"qty\": 1,\"resolvedDate\": \"04/04/04\",\"shipMethodCode\": \"A8\"}]}"
| spath
| rename Items{}.qty as qty Items{}.product as product
| table qty product
| eval tmp=mvzip(product,qty)
| mvexpand tmp
| eval tmp = split(tmp,",") 
| eval product=mvindex(tmp,0)
| eval qty=mvindex(tmp,1)
| stats sum(qty) as nb by product

Field extraction.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms