- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to get the count of a decisi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to get the count of a decision field?
Hi
I am trying to get the count if a field decision="ACCEPT" or decision="REJECT" by merchant and his ID , but count only return 1 or 0.
mysearch ....
| transaction alp_batchid startswith="Got file to process: /var/mware/alp/validated" endswith="processed successfully"
|rename alp_merchantid as MERCHANTID,alp_batchid as BATCHID,olp_batch_amount as BATCH_AMOUNT,alp_batch_start_time as START_TIME,alp_batch_end_time as END_TIME
| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0)
|eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID
| table MERCHANTID, BATCHID,BATCH_RECORD_CNT,ACCEPTED,REJECTED,START_TIME,END_TIME,BATCH_DURATION
Issue : ACCEPTED and REJECTED fields are either 1/0.
I am trying to use below function to get the count of decision="ACCEPT" or decision="REJECT" but they return either 1 or 0 where there are a total of 100+
| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0)
|eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the query and the results are either 1 or 0 .
i also tried with another numerical field " reasonCode" ( like below) , but same results.
| stats count(eval(reasonCode="100")) as ACCEPTED by BATCHID
sample output
ACCEPTED
1
1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps this will be what you want
mysearch ....
| stats count(eval(decision=="ACCEPT")) as ACCEPTED count(eval(decision=="REJECT")) as REJECTED
dc(requestID) as BATCH_RECORD_CNT by alp_merchantid alp_batchid alp_batch_start_time alp_batch_end_time
|rename alp_merchantid as MERCHANTID, alp_batchid as BATCHID, olp_batch_amount as BATCH_AMOUNT,
alp_batch_start_time as START_TIME, alp_batch_end_time as END_TIME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are you building a transaction? I can't tell if you are using it or not. Are you sure that ACCEPT and REJECT are capitalized in the data, and that the decision field actually exists?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes they are capitals.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
