Currently my search query is:
sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize - RESPONSE_SENT" "additionalMessage.response.commissionPercentage"="0.15" | rename additionalMessage.requestBody.deviceId as device_id | stats count(message) as count by device_id | lookup ATMDeviceNames.csv device_id OUTPUT device_name | append [| inputlookup ATMDeviceNames.csv | table device_id device_name | eval count=0 ] | stats max(count) as count by device_id device_name | sort -count | rename count as "Completed Transactions"
it displays a statistics table like this:
device_id | device_name | Completed_Transactions |
02f012-e0c-40d6-8ff5-2d2cba87b2 | testdevice123 | 11 |
I would like to create an additional dashboard panel based on this table. I would like to swap the Completed_Transactions with a column called Total_Cash.
I can see the cash amount per transaction under the name "additionalMessage.response.fiatAmount".
I would like to see the total cash amount per device displayed, can't seem to make it work. Any help would be greatly appreciated.
Try like this
sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize - RESPONSE_SENT" "additionalMessage.response.commissionPercentage"="0.15" | rename additionalMessage.requestBody.deviceId as device_id | stats count(message) as count sum(additionalMessage.response.fiatAmount) as Total_Cash by device_id | lookup ATMDeviceNames.csv device_id OUTPUT device_name | append [| inputlookup ATMDeviceNames.csv | table device_id device_name | eval count=0 , Total_Cash=0 ] | stats max(count) as count max(Total_Cash) as Total_Cash by device_id device_name | sort -count | rename count as "Completed Transactions"
Try like this
sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize - RESPONSE_SENT" "additionalMessage.response.commissionPercentage"="0.15" | rename additionalMessage.requestBody.deviceId as device_id | stats count(message) as count sum(additionalMessage.response.fiatAmount) as Total_Cash by device_id | lookup ATMDeviceNames.csv device_id OUTPUT device_name | append [| inputlookup ATMDeviceNames.csv | table device_id device_name | eval count=0 , Total_Cash=0 ] | stats max(count) as count max(Total_Cash) as Total_Cash by device_id device_name | sort -count | rename count as "Completed Transactions"