Hi all,
I have a bank transaction XML log with DATE, CC, AMOUNT. I need to show all transactions of the current day whose amount is higher than the average transaction amount for this customer for the previous month.
Here is the log example:
I found one similar topic and tried this so far, but it doesn't work:
eval epochtime=strptime(DATE, "%d%m%Y") | where epochtime=relative_time(epochtime, "-1mon@mon")<=epochtime| eval date=strftime(epochtime, "%d-%m-%Y") |eval cardmask=substr(CC, 0,4)+"******" | eval cardmask1=substr(CC, 11,12) | eval mask=cardmask+cardmask1| stats sum(AMOUNT) as TodaySum by mask | appendcols [ search sourcetype="..." |xmlkv | eval epochtime=strptime(Date, "%d%m%y") | where epochtime=relative_time(epochtime, "@d")<=epochtime AND relative_time(epochtime, "-1mon@mon")<=epochtime | eval date=strftime(epochtime, "%d-%m-%Y") |eval cardmask=substr(CC, 0,4)+"******" | eval cardmask1=substr(CC, 11,12) | eval mask=cardmask+cardmask1| stats avg(AMOUNT) as LastMonthAvg by mask ] eval alert=if(TodaySum > LastMonthAvg, "OK","NOK")
Please, I need help, got no more ideas.
Thank you 🙂
... View more