Splunk Search

How can I get the total count of payments and total amount of payments?

gowthambr
New Member

index = elm-retail-rws source="/opt/app/jboss/current/standalone/log/PosMultipaymentProfile.log"

0 Karma

woodcock
Esteemed Legend

Just add this to your existing simple search:

| rex "<Amount>(?<Amount>[\d\.]+)<\/Amount>"
| stats count sum(Amount) AS GrandTotal

niketn
Legend

@gowthambr, you would need to provide sample events and field name based of which Payment/Amount can be pulled.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gowthambr
New Member

8/31/17
10:14:06.680 PM
22:14:06,680 OtSrkUlG9HcFK6SQ1GP5T2JC INFO * RWS to EWS submitCashPayment Request >>>>>:

<AccountNumber9>*</AccountNumber9>
<StatementCode>1</StatementCode>
<Amount>75.79</Amount>
<MOPClass>VISA16</MOPClass>
<SiteId>476</SiteId>
<WorkStationId>Pos</WorkStationId>
>
0 Karma

gowthambr
New Member

This event is from the webservice call

0 Karma

niketn
Legend

kindly report the above sample event using code button (101010) so that special characters do not escape. Also make sure you anonymize/mask sensitive information.

Do you already have fields extracted from XML like Amount etc? What is the identification (pattern) of Payment Data? Is there any specific root node or other node for Payment information?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

niketn
Legend

Since crucial information of event is still pending, you can start off with the following:

index = elm-retail-rws source="/opt/app/jboss/current/standalone/log/PosMultipaymentProfile.log"  "<Amount>"  "</Amount>" NOT 
 "<Amount></Amount>"
| rex field=_raw "<Amount>(?<Amount>[^\>]+)<\/Amount>"
| stats count as Payments sum(Amount) as TotalAmount

You can eventually switch to spath so that field extraction is easy and more statistical data is available. You can also add MOPClass field and then split the TotalAmount by Method of Payment like VISA, Mastercard etc.

PS: In order to identify only the events with Payments I have added NOT
"<Amount></Amount>"
condition in the search this should be replaced with the search filters which selects only the events with Payment information.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

gowthambr
New Member

Hi Niket,
This was very helpful, and MOP was the requirement too, but could not able to find the documentation for mopclass and I am very new to splunk, not getting how to go ahead.
These are the type of transactions- VISA, MasterCard, cash, AX, ECHECK etc. could you please these things as well.
Thank you very much

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...