Splunk Search
Highlighted

How to edit my search to get the count of a decision field?

Engager

Hi
I am trying to get the count if a field decision="ACCEPT" or decision="REJECT" by merchant and his ID , but count only return 1 or 0.

mysearch ....  
| transaction alp_batchid startswith="Got file to process: /var/mware/alp/validated" endswith="processed successfully" 
|rename alp_merchantid as MERCHANTID,alp_batchid as BATCHID,olp_batch_amount as BATCH_AMOUNT,alp_batch_start_time as START_TIME,alp_batch_end_time as END_TIME 
| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0)  
|eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID  
| table MERCHANTID, BATCHID,BATCH_RECORD_CNT,ACCEPTED,REJECTED,START_TIME,END_TIME,BATCH_DURATION

Issue : ACCEPTED and REJECTED fields are either 1/0.

I am trying to use below function to get the count of decision="ACCEPT" or decision="REJECT" but they return either 1 or 0 where there are a total of 100+

| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0) 
|eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID
0 Karma
Highlighted

Re: How to edit my search to get the count of a decision field?

Legend

Why are you building a transaction? I can't tell if you are using it or not. Are you sure that ACCEPT and REJECT are capitalized in the data, and that the decision field actually exists?

0 Karma

Re: How to edit my search to get the count of a decision field?

Engager

yes they are capitals.

0 Karma
Highlighted

Re: How to edit my search to get the count of a decision field?

Legend

Perhaps this will be what you want

mysearch ....  
| stats count(eval(decision=="ACCEPT")) as ACCEPTED count(eval(decision=="REJECT")) as REJECTED  
dc(requestID) as BATCH_RECORD_CNT by alp_merchantid alp_batchid  alp_batch_start_time alp_batch_end_time
|rename alp_merchantid as MERCHANTID, alp_batchid as BATCHID, olp_batch_amount as BATCH_AMOUNT, 
alp_batch_start_time as START_TIME, alp_batch_end_time as END_TIME 
0 Karma
Highlighted

Re: How to edit my search to get the count of a decision field?

Engager

I tried the query and the results are either 1 or 0 .

i also tried with another numerical field " reasonCode" ( like below) , but same results.

| stats count(eval(reasonCode="100")) as ACCEPTED by BATCHID

sample output
ACCEPTED
1

1

0 Karma