Hi All,
I have a CSV file with the following information
date,retailer,lower,upper,price_rate
20120621,retailer1,0,10,10
20120621,retailer1,10,20,8
20120621,retailer1,20,100,5
20120621,retailer2,0,10,10
20120621,retailer2,10,20,8
20120621,retailer2,20,100,5
Now there are Splunk events which contains hourly usage
_time, retailer, usage
So I want to get a sum of all the usage over one month with something like
sourcetype="myData" | stats sum(usage) by retailer
But I then want to calculate a total cost.
So for example the if the total usage over the month was 50.
- The first 10 would be priced at $10 per unit
- The second 10 units would be priced at $8 per unit
- The remaining 30 units would be priced at $5 per unit
How can I do this in a Splunk search?
Harder still the original CSV was actually intended to be a time based lookup so it would only use the associated date section based on the _time from the events.
I am thinking maybe I should restructure this CSV and join it 3 times in the props.conf somehow???
Any assistance would be greatly appreciated.
