Splunk Search

How can I separate count eval results into individual rows depending on the data found?

Steve_A200
Explorer

Hi,

Currently, my query produces the correct results but they are all aggregated into single cells, and I would like to have them separated depending on the results found.

What I would like is to have "Offers/Redeemed/Take_Rate"  listed and calculated for each unique combination of results found for pointBank/merchant.  

So:

offers  Redeemed  Pointbank   Merchant   Take_Rate

2               1                    A                       A                 50

3               1                    A                       B                 33.3

6               3                    B                       A                 50

5               1                    B                       C                 20

My current query is:

host="server" source="/home/xyz.log" earliest=-1@d latest=now | fields "promotionAction" "pointBankCode" "merchantCode"| search (promotionAction="*") pointBankCode="*" merchantCode="*" | stats count(eval(promotionAction= "OFFERED")) AS Offers count(eval(promotionAction= "ACCEPTED")) as Redeemed values(pointBankCode) as PointBank values(merchantCode) as Merchant | eval Take_Rate=((Redeemed)/(Offers)*100)

Labels (2)
Tags (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
host="server" source="/home/xyz.log" earliest=-1@d latest=now 
| fields "promotionAction" "pointBankCode" "merchantCode"
| search (promotionAction="*") pointBankCode="*" merchantCode="*" 
| stats count(eval(promotionAction= "OFFERED")) AS Offers count(eval(promotionAction= "ACCEPTED")) as Redeemed by pointBankCode merchantCode 
| eval Take_Rate=((Redeemed)/(Offers)*100)

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
host="server" source="/home/xyz.log" earliest=-1@d latest=now 
| fields "promotionAction" "pointBankCode" "merchantCode"
| search (promotionAction="*") pointBankCode="*" merchantCode="*" 
| stats count(eval(promotionAction= "OFFERED")) AS Offers count(eval(promotionAction= "ACCEPTED")) as Redeemed by pointBankCode merchantCode 
| eval Take_Rate=((Redeemed)/(Offers)*100)

Steve_A200
Explorer

Thank you very much for the prompt reply, that worked exactly how I needed it to display.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>