index = elm-retail-rws source="/opt/app/jboss/current/standalone/log/PosMultipaymentProfile.log"
Just add this to your existing simple search:
| rex "<Amount>(?<Amount>[\d\.]+)<\/Amount>"
| stats count sum(Amount) AS GrandTotal
@gowthambr, you would need to provide sample events and field name based of which Payment/Amount can be pulled.
8/31/17
10:14:06.680 PM
22:14:06,680 OtSrkUlG9HcFK6SQ1GP5T2JC INFO * RWS to EWS submitCashPayment Request >>>>>:
<AccountNumber9>*</AccountNumber9>
<StatementCode>1</StatementCode>
<Amount>75.79</Amount>
<MOPClass>VISA16</MOPClass>
<SiteId>476</SiteId>
<WorkStationId>Pos</WorkStationId>
>
This event is from the webservice call
kindly report the above sample event using code button (101010) so that special characters do not escape. Also make sure you anonymize/mask sensitive information.
Do you already have fields extracted from XML like Amount etc? What is the identification (pattern) of Payment Data? Is there any specific root node or other node for Payment information?
Since crucial information of event is still pending, you can start off with the following:
index = elm-retail-rws source="/opt/app/jboss/current/standalone/log/PosMultipaymentProfile.log" "<Amount>" "</Amount>" NOT
"<Amount></Amount>"
| rex field=_raw "<Amount>(?<Amount>[^\>]+)<\/Amount>"
| stats count as Payments sum(Amount) as TotalAmount
You can eventually switch to spath so that field extraction is easy and more statistical data is available. You can also add MOPClass
field and then split the TotalAmount by Method of Payment like VISA
, Mastercard
etc.
PS: In order to identify only the events with Payments I have added NOT
condition in the search this should be replaced with the search filters which selects only the events with Payment information.
"<Amount></Amount>"
Hi Niket,
This was very helpful, and MOP was the requirement too, but could not able to find the documentation for mopclass and I am very new to splunk, not getting how to go ahead.
These are the type of transactions- VISA, MasterCard, cash, AX, ECHECK etc. could you please these things as well.
Thank you very much