Hi
I am trying to get the count if a field decision="ACCEPT" or decision="REJECT" by merchant and his ID , but count only return 1 or 0.
mysearch ....
| transaction alp_batchid startswith="Got file to process: /var/mware/alp/validated" endswith="processed successfully"
|rename alp_merchantid as MERCHANTID,alp_batchid as BATCHID,olp_batch_amount as BATCH_AMOUNT,alp_batch_start_time as START_TIME,alp_batch_end_time as END_TIME
| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0)
|eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID
| table MERCHANTID, BATCHID,BATCH_RECORD_CNT,ACCEPTED,REJECTED,START_TIME,END_TIME,BATCH_DURATION
Issue : ACCEPTED and REJECTED fields are either 1/0.
I am trying to use below function to get the count of decision="ACCEPT" or decision="REJECT" but they return either 1 or 0 where there are a total of 100+
| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0)
|eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID
... View more