What should I feed to my summary Index? and how Sh...

hrishi_deshpand · ‎10-20-2021

INFO | 2021-10-18 05:17 AM | BUSINESS RULE | Payload for ID#: 58916 with status Approved is published

Second Event

msg: INFO | 2021-10-14 10:38 PM | Message consumed: {"InputAmountToCredit":"22.67","CurrencyCode":"AUD","Buid":"1401","OrderNumber":"877118406","Cre ID":"58916"}

I want to have sum of InputAmountToCredit based on status . status can vary to different statuses and ID is common field for both the events (but it differs in key in both the events) How can I extact fields for status InputAmountToCredit and ID. I want to sum amount for each Id who is having same status and generate status wise report.

Also my Searches are slow and I want to implement summary index.

1. I am not sure if tomorrow i want to update my summary index will I be able to do so with new events?

2. How can I decide what should be part of summary index as right now I have the requirement with these two events only.

I am new to splunk so any pointers will help

Thanks for all the support.

somesoni2 · ‎10-20-2021

Give this a try

(base search to fetch event1) OR (base search to fetch event2)
| rex "ID\#\:\s*(?<ID1>\d+) with status (?<Status>\w+)"
| rex "ID\"\:\"(?< ID2>[^\"]+)"
| rex "InputAmountToCredit\"\:\"(?<InputAmountToCredit>[^\"]+)"
| eval ID=coalesce(ID1,ID2)
| stats latest(Status) as Status values(InputAmountToCredit) as InputAmountToCredit by ID
| where Status="Approved"

What should I feed to my summary Index? and how Should I extract fields for status, Amount and ID

field extraction

join

other

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes