Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Listing detail of an individual without using stats and BY

phamxuantung
Communicator
‎02-17-2021 07:36 PM

Hi,

I have a dataset about transactions, each event is a transaction detail about response code(success or not), their amount, channel in which they pay through, etc. I want to make a report about each individual with the information like name, the total transactions, amount, channel. Each individual have an ID to identify them but I don't want it in the table.

When I use code like this

 

 

index=xxx source=xxx
|eval SUCCESS = if(RESPONSE_CODE="0",1,0)
|stats count as Total, SUM(SUCCESS)AS Total_suc, SUM(AMMOUNT)AS Total_am BY ID, CHANNEL
|search Total_suc>=20

 

 

The last line of code would be a table listing out individual with total transaction above 20 in each channel, with details as listing above, I want it to look like this:

 

 

NAME   |Total_suc|Total_am|Channel
Robert |20       |2000    |MOBAGE 
William|34       |1200    |RT
Harry  |23       |3000    |RT
Harry  |40       |4000    |VT

 

 

An individual might make transactions through many channel and their total transactions might be above 20, but they won't appear on the result, another individual can appear many times because they make >20 transactions through each channel. Further more, the field NAME is customer's input, the only thing indetify them  is their ID.
Exp: Sarah might make 12 transaction in RT, 15 transaction at VT, their total transactions would be above 20, but still won't appear because this is listing /Channel. Harry, as above, appears two times because they make >20 transaction in both RT and VT.

I have several question I would like to ask:
1. Because I use BY to identify individuals (and channel in which they pay through), I don't know if it correct or not, because the amount of data is too much.
2. Since (stats) can only took out the data that appears behind it, I can't show other details related to that individual, if I adding more data behind BY, I can get them but I afraid adding more constrain could make the result incorrect.

Can someone help me with these problems?

Thank you in advance and sorry if the post is too long.

Labels (2)
Labels
Tags (4)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-18-2021 02:47 AM

You can remove the users who haven't done 20 or more across all channels this way

| eventstats count as grand_total by ID
| where grand_total>=20

Hopefully, that will give you the subset of data you are looking for?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...