- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to edit my search to get the count of a de...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to edit my search to get the count of a decision field?
Hi
I am trying to get the count if a field decision="ACCEPT" or decision="REJECT" by merchant and his ID , but count only return 1 or 0.
mysearch ....
| transaction alp_batchid startswith="Got file to process: /var/mware/alp/validated" endswith="processed successfully"
|rename alp_merchantid as MERCHANTID,alp_batchid as BATCHID,olp_batch_amount as BATCH_AMOUNT,alp_batch_start_time as START_TIME,alp_batch_end_time as END_TIME
| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0)
|eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID
| table MERCHANTID, BATCHID,BATCH_RECORD_CNT,ACCEPTED,REJECTED,START_TIME,END_TIME,BATCH_DURATION
Issue : ACCEPTED and REJECTED fields are either 1/0.
I am trying to use below function to get the count of decision="ACCEPT" or decision="REJECT" but they return either 1 or 0 where there are a total of 100+
| eval msg_accepted=if(decision="ACCEPT", 1, 0) | eval msg_rejected=if(decision="REJECT", 1, 0)
|eventstats sum(msg_accepted) as ACCEPTED, sum(msg_rejected) as REJECTED,dc(requestID) as BATCH_RECORD_CNT by MERCHANTID,BATCHID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the query and the results are either 1 or 0 .
i also tried with another numerical field " reasonCode" ( like below) , but same results.
| stats count(eval(reasonCode="100")) as ACCEPTED by BATCHID
sample output
ACCEPTED
1
1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps this will be what you want
mysearch ....
| stats count(eval(decision=="ACCEPT")) as ACCEPTED count(eval(decision=="REJECT")) as REJECTED
dc(requestID) as BATCH_RECORD_CNT by alp_merchantid alp_batchid alp_batch_start_time alp_batch_end_time
|rename alp_merchantid as MERCHANTID, alp_batchid as BATCHID, olp_batch_amount as BATCH_AMOUNT,
alp_batch_start_time as START_TIME, alp_batch_end_time as END_TIME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are you building a transaction? I can't tell if you are using it or not. Are you sure that ACCEPT and REJECT are capitalized in the data, and that the decision field actually exists?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes they are capitals.
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
