Currently I have a search query that will show when an event happens with the device_id, count, and the device name. The search is set up to count when an event happens, but I also want to know when the event doesn't happen, so it counts devices with 0 count.
Here is my search:
sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize - RESPONSE_SENT"
|rename additionalMessage.requestBody.deviceId as device_id
|stats count(message) by device_id |sort -count(message)
|lookup DeviceNamesAll.csv device_id OUTPUT device_name
Search will show this:
device_id | count(message) | device_name |
0297f12-e0ac-40d6-8ff5-2d2c2787b | 45 | Store12 |
37ca5c1-2c3f-41d-88d4-57f8b354c4 | 41 | Store54 |
I cant figure out how to also count the device_id's that have a count of 0. If anyone could help it would be greatly appreciated!
Try like this
sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize - RESPONSE_SENT"
|rename additionalMessage.requestBody.deviceId as device_id
|stats count(message) as count by device_id
|lookup DeviceNamesAll.csv device_id OUTPUT device_name
| append [| inputlookup DeviceNamesAll.csv | table device_id device_name | eval count=0 ]
| stats max(count) as count by device_id device_name
|sort -count | rename count as "count(message)"
Try like this
sourcetype="transactions" AND (additionalMessage.requestUrl="*/cashIn/initialize" OR additionalMessage.requestUrl="*/cashIn/update" OR additionalMessage.requestUrl="*/cashIn/updateStatus" OR additionalMessage.requestUrl="*/cashIn/finalize") AND message != "Token time nonce*" message="POST - http://transactions/cashIn/finalize - RESPONSE_SENT"
|rename additionalMessage.requestBody.deviceId as device_id
|stats count(message) as count by device_id
|lookup DeviceNamesAll.csv device_id OUTPUT device_name
| append [| inputlookup DeviceNamesAll.csv | table device_id device_name | eval count=0 ]
| stats max(count) as count by device_id device_name
|sort -count | rename count as "count(message)"