I want to have sum of InputAmountToCredit based on status . status can vary to different statuses and ID is common field for both the events (but it differs in key in both the events) How can I extact fields for status InputAmountToCredit and ID. I want to sum amount for each Id who is having same status and generate status wise report.
Also my Searches are slow and I want to implement summary index.
1. I am not sure if tomorrow i want to update my summary index will I be able to do so with new events?
2. How can I decide what should be part of summary index as right now I have the requirement with these two events only.
(base search to fetch event1) OR (base search to fetch event2)
| rex "ID\#\:\s*(?<ID1>\d+) with status (?<Status>\w+)"
| rex "ID\"\:\"(?< ID2>[^\"]+)"
| rex "InputAmountToCredit\"\:\"(?<InputAmountToCredit>[^\"]+)"
| eval ID=coalesce(ID1,ID2)
| stats latest(Status) as Status values(InputAmountToCredit) as InputAmountToCredit by ID
| where Status="Approved"