Re: What should I feed to my summary Index? and ho...

hrishi_deshpand · ‎10-20-2021

INFO | 2021-10-18 05:17 AM | BUSINESS RULE | Payload for ID#: 58916 with status Approved is published

Second Event

msg: INFO | 2021-10-14 10:38 PM | Message consumed: {"InputAmountToCredit":"22.67","CurrencyCode":"AUD","Buid":"1401","OrderNumber":"877118406","Cre ID":"58916"}

I want to have sum of InputAmountToCredit based on status . status can vary to different statuses and ID is common field for both the events (but it differs in key in both the events) How can I extact fields for status InputAmountToCredit and ID. I want to sum amount for each Id who is having same status and generate status wise report.

Also my Searches are slow and I want to implement summary index.

1. I am not sure if tomorrow i want to update my summary index will I be able to do so with new events?

2. How can I decide what should be part of summary index as right now I have the requirement with these two events only.

I am new to splunk so any pointers will help

Thanks for all the support.

somesoni2 · ‎10-20-2021

Give this a try

(base search to fetch event1) OR (base search to fetch event2)
| rex "ID\#\:\s*(?<ID1>\d+) with status (?<Status>\w+)"
| rex "ID\"\:\"(?< ID2>[^\"]+)"
| rex "InputAmountToCredit\"\:\"(?<InputAmountToCredit>[^\"]+)"
| eval ID=coalesce(ID1,ID2)
| stats latest(Status) as Status values(InputAmountToCredit) as InputAmountToCredit by ID
| where Status="Approved"

What should I feed to my summary Index? and how Should I extract fields for status, Amount and ID

field extraction

join

other

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!