Splunk Search
Highlighted

How to edit my search to get the count of a decision field?

Engager

Hi
I am trying to get the count if a field decision="ACCEPT" or decision="REJECT" by merchant and his ID , but count only return 1 or 0.

mysearch ....  
| transaction alp_batchid startswith="Got file to process: /var/mware/alp/validated" endswith="processed successfully" 
|rename alp_merchantid as MERCHANTID,alp_batchid as BATCHID,olp_batch_amount as BATCH_AMOUNT,alp_batch_start_time as START_TIME,alp_batch_end_time as END_TIME 
| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0)  
|eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID  
| table MERCHANTID, BATCHID,BATCH_RECORD_CNT,ACCEPTED,REJECTED,START_TIME,END_TIME,BATCH_DURATION

Issue : ACCEPTED and REJECTED fields are either 1/0.

I am trying to use below function to get the count of decision="ACCEPT" or decision="REJECT" but they return either 1 or 0 where there are a total of 100+

| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0) 
|eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID
0 Karma
Highlighted

Re: How to edit my search to get the count of a decision field?

Legend

Why are you building a transaction? I can't tell if you are using it or not. Are you sure that ACCEPT and REJECT are capitalized in the data, and that the decision field actually exists?

0 Karma
Highlighted

Re: How to edit my search to get the count of a decision field?

Engager

yes they are capitals.

0 Karma
Highlighted

Re: How to edit my search to get the count of a decision field?

Legend

Perhaps this will be what you want

mysearch ....  
| stats count(eval(decision=="ACCEPT")) as ACCEPTED count(eval(decision=="REJECT")) as REJECTED  
dc(requestID) as BATCH_RECORD_CNT by alp_merchantid alp_batchid  alp_batch_start_time alp_batch_end_time
|rename alp_merchantid as MERCHANTID, alp_batchid as BATCHID, olp_batch_amount as BATCH_AMOUNT, 
alp_batch_start_time as START_TIME, alp_batch_end_time as END_TIME 
0 Karma
Highlighted

Re: How to edit my search to get the count of a decision field?

Engager

I tried the query and the results are either 1 or 0 .

i also tried with another numerical field " reasonCode" ( like below) , but same results.

| stats count(eval(reasonCode="100")) as ACCEPTED by BATCHID

sample output
ACCEPTED
1

1

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.