The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to report on which customers have the most payments processed. For more information, review the use case monitoring payment responses.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
||sourcetype=<payment processing data>||Search only your payment processing data.|
||eval _time=strptime(_time, "%Y/%m/%d %H:%M:%S")||Parse the time stamp into a UNIX time value.|
||sort _time||Sort the results from oldest to newest.|
||stats count values(_time) AS _time values(amount) AS amount BY customer||Display the times and amounts of the payments. Then group the payments by their unique identifier.|
||where count>2 AND (count%2==0)||Limit the results to those with more than 2 transactions.|
||eval CompletedPayments=count/2||Calculate the CompletedPayments field as the count divided 2.|
||top CompletedPayments BY customer||Find the most common values and calculates the count and a percentage of the frequency the values occur in the events. Group the results by customer.|
||sort -CompletedPayments||Sort the number completed payments with the highest count first.|
||head 10||Limit the results to the top 10.|
||fields - count, percent||Remove the fields shown from the results.|