Hello,
From the below query
index=apps
sourcetype="pos-generic:prod" Received request to change status=CONFIRMED OR status=REJECTED
partner_account_name="Level Up"
| stats count by status, merchantId
| xyseries merchantId, status, count
| eval result = (REJECTED)/((CONFIRMED+REJECTED))*100
| fillnull value=100 result
| eval count = CONFIRMED + REJECTED
| where count >= 10
| where result >= 20
Just a few observations from what you've posted.
Received request to change
stats count AS Volume by status,count
Then you can use Volume later on with less confusion.stats
command destroys native fields and only give you aggregated fields it produces. So you cannot access REJECTED or CONFIRMED.xyseries
line and what you want to do with those values? Feel free to dummy up the data to hide confidential info.So when I run the query mentioned above i get the following result
The merchantID 1684264 has message "xyz" and also have REJECT count as 6. I verified all the REJECT of this merchantId has the same message.
Now I am trying to execute the query as below
index=apps
sourcetype="pos-generic:prod" Received request to change status=CONFIRMED OR status=REJECTED AND message!="xyz"
partner_account_name="Level Up"
| stats count by status, merchantId
| xyseries merchantId, status, count
| eval result = (REJECTED)/((CONFIRMED+REJECTED))*100
| fillnull value=100 result
| eval count = CONFIRMED + REJECTED
| where count >= 10
| where result >= 20
My expectation is not to show the result of merchantId = 1684264 as it has all the 6 REJECT count as this message (my expectation is getting fulfilled). When I was trying yesterday it was not, may be I was doing something wrong.
Now what I want to try is, instead of passing an exact string for the message field, i would want to pass something like message contains something like "item". So it might be "some items missing" or "items not there". So i just want to use "item" as the common
I tried using but it is not giving me any result
I tried using https://answers.splunk.com/answers/479010/how-to-write-a-search-with-the-condition-if-field1.html but no help either
ok i used something like
| regex message != "item"
not sure if this would have any further complication. Checking