Splunk Search

Item count not including quality.

sandeepmakkena
Contributor

Here is the sample log I want a timechart.

{"dtm":"2019-09-04 07:17:39.129 PDT", "logger":".WEB_ORDER_RELEASE", "app":{"a":"OrderBuilderService","dc":"rnodc1","e":"all.test.ce03","h":"rn-aost-c03-lapp17.rno.com","p":"5328","ptn":"AMR","r":"5df90752-abc0-4a05-bf35-f1484f5102ea"}, "msg":{"data":{"cartId":"00000000-00000000-d000-000078669e67","casId":"c2265eae-4db0-403c-a682-0efd25bc1e76","clientSubType":"web.common","clientType":"web","cosId":"1b4b4c51-5c95-4172-ad59-b89a6b2ce3de","deliveryGroup":"SINGLE_ADDRESS_SHIP_PARTIAL","features":["crd","verizonInstallments"],"fraudDecision":"NF","lineItems":[{"commitCode":"0","deliveryDate":"Tomorrow","deliveryType":"STH","partNumber":"MT312LL/A","product":"iPhone XR 64GB White","qty":"5","resolvedDate":"Tomorrow","shipMethodCode":"SO"}],"ops.response":"SUCCEEDED","orderType":"order","payments":["CARD"],"pssId":"W6474e26fbfd74dadb7e240350adb9c20","remoteHost":"12.11.11.111","storeFront":{"channel":"common.internet","formatCode":"common","geo":"w.ar.uss","language":"en-us","segment":"consumer","storeFrontId":"10078"},"webOrderNumber":"W7726473007"},"headerData":{"channel":"common.internet","dssId":"22079241-ac7d-4496-8b9b-e5624b6792c0","format":"common","geo":"w.ar.uss","hashedPersonId":"fGeEFnkTSPfUgzcrbTHNYH31lWfY50g2MEAwXapV/1Q=","language":"en-us","mileStoneId":"WEB_ORDER_RELEASE","segment":"consumer","storefrontId":"10078"}}}

Here is what I am using. | timechart count by product usenull=f useother=f but, It is not including qty in the count.
Thanks for your time.

0 Karma
1 Solution

mayurr98
Super Champion

what do you mean by not including qty?
try this?
| timechart count(qty) by product usenull=f useother=f

OR
| timechart values(qty) by product usenull=f useother=f

View solution in original post

0 Karma

somesoni2
Revered Legend

Just use sum(qty) instead of count in your timechart. The count is just for counting number of result.

0 Karma

solarboyz1
Builder
| timechart count, sum(qty) by product usenull=f useother=f

This would show you the count of events, and sum of the qty field (assuming that field is extracted) by product over time.

0 Karma

mayurr98
Super Champion

what do you mean by not including qty?
try this?
| timechart count(qty) by product usenull=f useother=f

OR
| timechart values(qty) by product usenull=f useother=f

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...