I executed this
index=apps
status=CONFIRMED OR status=REJECTED
partner_account_name="Level Up"
| stats count by status, merchantId
| xyseries merchantId, status, count
| eval result = (REJECTED)/((CONFIRMED+REJECTED))*100
| eval count = CONFIRMED + REJECTED
| sort result desc
| streamstats last(status) AS prev_status by merchantId
| streamstats last(prev_status) AS two_prev_status by merchantId
| eval consecutive_alerts=if(status="CONFIRMED" AND prev_status="CONFIRMED" AND two_prev_status="CONFIRMED","ALERT","GOOD")
I am getting the result like this https://share.getcloudapp.com/p9uKjoKm
there are now new columns as prev_status , two_prev_status & consecutive_alerts ( i am fine if these columns are not showing up)
but my main objective is to show be merchants in table with their reject % which did not have last 3 consecutive status as confirmed.
As per the result tried checking with merchantId=1286021 but i can see there was one last confirmed
https://share.getcloudapp.com/lluyzAg7
BTW I tried changing this line
| eval consecutive_alerts=if(status="CONFIRMED" AND prev_status="CONFIRMED" AND two_prev_status="CONFIRMED","ALERT","GOOD")
to
| eval consecutive_alerts=if(status!="CONFIRMED" AND prev_status!="CONFIRMED" AND two_prev_status!="CONFIRMED","ALERT","GOOD")
and
| eval consecutive_alerts=if(status="REJECTED" AND prev_status="REJECTED" AND two_prev_status="REJECTED","ALERT","GOOD")
but not luck
... View more