Solved: How do I edit my search to divide an amount by 100...

markgandolfo · ‎01-29-2016

Hi,

I'm trying to group all payments "amount" by month. The challenge is they're in cents, and I would prefer dollars.
I have one condition which is search "params.type"="charge.succeeded". From there I'm trying to collect the params.data.object.amount which is the amount charged in cents.

I've tried a number of different ways to divide the amount, but it seems I can either divide the amount by 100, to represent dollars, or I can timechart it, but I can't seem to do both. Below is a mess of where I've ended.

host=production | spath "params.type" | search "params.type"="charge.succeeded"| spath "params.data.object.amount" | stats sum("params.data.object.amount") as total | timechart span=1mon

Could anyone help point me in the right direction?

sundareshr · ‎01-29-2016

Try this

your search and criteria here | spath path="params.data.object.amount" output=amt | eval amt=amt/100 |timechart span=1mon sum(amt) as total

View solution in original post

sundareshr · ‎01-29-2016

Try this

your search and criteria here | spath path="params.data.object.amount" output=amt | eval amt=amt/100 |timechart span=1mon sum(amt) as total

markgandolfo · ‎01-29-2016

Thank you very much!

How do I edit my search to divide an amount by 100 per month and display this in a timechart?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Are you a member of the Splunk Community?

How do I edit my search to divide an amount by 100 per month and display this in a timechart?

.conf25 Registration is OPEN!

Detecting Cross-Channel Fraud with Splunk

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside