Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to combine two fields with eval ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
paymenttype RefunpaymentType
DEBIT DEBIT
GIFTCARD PGIFTCARD
ORIGINAL CREDITCARD
ORIGINAL DEBITCARD
I am trying to get output like this and also count of this combinations
Refund Count
DEBIT-DEBIT 100
GIFTCARD -PGIFTCARD 50
ORIGINAL-CREDITCARD 75
ORIGINAL-DEBITCARD 88
Can any one help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | stats count AS Count BY paymenttype RefunpaymentType
| eval Refund = paymenttype . "-" . RefunpaymentType
| table Refund Count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| search "body.refundTenderType"=*
| search "body.refundTenders{}.paymentType"=*
| rename body.refundTenderType as "RefundTender"
| rename body.refundTenders{}.paymentType as "RefundTenderPaymentType"
| stats count AS Count BY RefundTender RefundTenderPaymentType, body.orderNumber add this here
| eval Refund = RefundTender . "-" . RefundTenderPaymentType
| table Refund , body.orderNumber
| chart count by Refund
Try this if it works
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
... | stats count AS Count BY paymenttype RefunpaymentType
| eval Refund = paymenttype . "-" . RefunpaymentType
| table Refund Count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock : tried this search i got results but count is displaying is 1 instead of accurate count values
| search "body.refundTenderType"=* | search "body.refundTenders{}.paymentType"=* | rename body.refundTenderType as "RefundTender" | rename body.refundTenders{}.paymentType as "RefundTenderPaymentType" | stats count AS Count BY RefundTender RefundTenderPaymentType | eval Refund = RefundTender . "-" . RefundTenderPaymentType | table Refund , body.orderNumber | chart count by Refund
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1 extra step that is not in my answer; do this:
... | search "body.refundTenderType"=* AND "body.refundTenders{}.paymentType"=*
| rename body.refundTenderType as "RefundTender", body.refundTenders{}.paymentType as "RefundTenderPaymentType"
| stats count AS Count BY RefundTender RefundTenderPaymentType
| eval Refund = RefundTender . "-" . RefundTenderPaymentType
| table Refund Count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
| eval field=paymenttype+"-"+RefunpaymentType | stats count by field
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
