Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Calculate w different prices based on cliplevels

JYTTEJ
Communicator
‎06-24-2013 08:02 AM

Hi, I need to make a report which need to calculate with two different prices.

Price 3,33 USD for the first 10000 trx within a month

Price 2,22 for 10001 - 20001 trx within same month

Price 1,11 for 20001 + trx within the same month

I have tried following:

|accum Trx as Accum_trx |EVAL Charge=if(Accum_trx <10000,3.33, if(Accum_trx>10001 AND Accum_trx<20001,2.22, 1.11))

If Accum_trx are

3444

7000

9500

10500

the search will calculate 9500*3.33

and 10500 minus 9500 = 1000*2.22

I need to calculate 500 * 3.33 and 500 * 2.22 instead.

How do I accomplish this?

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎07-15-2013 09:01 AM

Second answer, based on the request to show how the charges were calculated

yoursearchhere
| stats count as totalTransactions by customer
| eval charge = case(totalTransactions < 10001,totalTransactions *3.33,
                     totalTransactions < 20001,33300+(totalTransactions-10000)*2.22,
                     totalTransactions > 20000,55500+(totalTransactions-20000)*1.11)
| eval Transactions = case(totalTransactions < 10001,tostring(totalTransactions),
                     totalTransactions < 20001,"10000\n"+tostring(totalTransactions-10000)),
                     totalTransactions > 20000,"10000\n10000\n"+tostring(totalTransactions-20000))
| eval Rates = case(totalTransactions < 10001,"3.33",
                     totalTransactions < 20001,"3.33\n2.22",
                     totalTransactions > 20000,"3.33\n2.22\n1.11")
| table customer totalTransactions charge Transactions Rates

This seemed simplest, but there are other ways

0 Karma
Reply

lguinn2
Legend
‎06-24-2013 01:40 PM

Why not:

yoursearchhere
| stats count as numTransactions by customer
| eval charge = case(numTransactions < 10001,numTransactions *3.33,
                     numTransactions < 20001,33300+(numTransactions-10000)*2.22,
                     numTransactions > 20000,55500+(numTransactions-20000)*1.11)
0 Karma
Reply

JYTTEJ
Communicator
‎07-12-2013 04:07 AM

This works fine! - but I also want to display on the same report how the total has been calculated. I.e. a report showing:

CUSTOMER Trx Trx_Charge Amount
XXX 10000 3.33 33300,00
XXX 10000 2.33 22200,00
XXX 1111 1.11 1234,00

  • Do you have more good ideas?
0 Karma
Reply

aholzer
Motivator
‎06-24-2013 10:09 AM

Two things I'd suggest:
1) use the case function instead of nested "ifs"
2) use the "delta" command to calculate the difference between the accum_trx of the previous event and your current event

With these two changes you should be able to get what you need.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...