topic Re: Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report. in Splunk Search

Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

alfiyashaikh — Thu, 23 Nov 2017 10:14:11 GMT

I have 20 searches to be performed on a single .csv log file . Every search results a different feedback like "missing value", "blank resolution", "breached" etc. I want all these feedbacks to be updated in a single "feedback" column in the output report .

I am stuck at :
1] How to get a textual feedback added to Feedback column after my search filters out the required events.
2] How to automate these 20 searches sequentially.
3] A single event can have more than 1 feedback.

Re: Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

gcusello — Thu, 23 Nov 2017 11:14:37 GMT

Hi alfiyashaikh,
do you want to have only one search or do you have many searches and result must be added to the same csv output file?

in the first case you have to use the append command:

my_search_1
| rename column_field1 AS field column_message1 AS message
| table field message
| append [ search 
     my_search_2
    | rename column_field2 AS field column_message2 AS message
    | table field message
    ]
| append [ search 
     my_search_3
    | rename column_field3 AS field column_message3 AS message
    | table field message
    ]
| table field message

If instead you want to add result to an output csv file, you have to separately run your searches adding to the end the line

| outputcsv append=true my_outputfile.csv

Bye.
Giuseppe

Re: Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

woodcock — Mon, 27 Nov 2017 14:39:18 GMT

Check out this Q&A for a very similar conversation with many suggestions:

https://answers.splunk.com/answers/594332/pattern-loopable-lookup-table-to-bypass-map-subsea.html

Re: Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

woodcock — Mon, 27 Nov 2017 14:40:27 GMT

Maybe you can use only 1 mega search and 20 clauses after a |multireport after it. It would look like this:

|inputcsv YourFileHere | multireport
[SPL for analysis #1 here | table foo bar feedback]
. . . . . . . .
[SPL for analysis #20 here | table foo bar feedback]
| stats values(feedback) AS feedback BY foo bar

Re: Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

alfiyashaikh — Tue, 05 Dec 2017 05:16:00 GMT

Hi cusello and woodcock ,

Thank you for your help.

2] How to automate these 20 searches sequentially.
- "append" worked for this case.

For feedback:
1] How to get a textual feedback added to Feedback column after my search filters out the required events

By eval, I entered the feedback [|eval Feedback="Blank resolution" ], similarly added required feedback for each search .

3] A single event can have more than 1 feedback.
I used [ |outputcsv XYZcsvfile ] at the extreme end of my search
so I even got multiple feedback for single event.

Re: Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

woodcock — Tue, 05 Dec 2017 08:07:52 GMT

I am lost. Do you have a working solution? Do you understand the pieces that have been shown so far? If not, you need to show sample data and a mockup of the desired solution or I don't think anyone will be able to dig deeper.

Re: Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

alfiyashaikh — Tue, 29 Sep 2020 17:03:51 GMT

Input file in a Incident data log file"

((index="") (sourcetype="Remedy")) | eval Feedback="Feedback message"
|fields "Incident", "time", "Resolution", "Status", "Vendor Ticket Number", "Feedback"
|search (Resolution != "*why did it happen" AND Resolution != "closer") AND Status="Resolved"
|table "Incident ID", "Feedback" "_time", "Resolution", "Status", "Vendor Ticket Number"

|append [next search]
|append [next search]

|outputcsv output_csv_file

After running this search a new .csv is created in my C:\Program Files\Splunk\var\run\splunk\csv local folder.
It contains the required fields and respective feedbacks for all the searches appended

Re: Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

alfiyashaikh — Tue, 05 Dec 2017 09:31:08 GMT

I tried using multireport too.
But it is not giving me any statistics table "NO results found" , and no. of events that it shows is also incorrect.
splunk doesn't take "multireport" as key word/library key word/ lib predefined word.

((index="") (sourcetype="Remedy"))
| multireport [ eval Feedback="BLANK RESOLUTION"
|fields "Incident ID", "_time", "Resolution", "Status", "Vendor Ticket Number", "Feedback", "Resolution Categorization Tier"
|search (Resolution != "why did it happen" AND Resolution != "closer") AND Status="Resolved"
|table "Incident ID", "Feedback" "_time", "Resolution", "Status", "Vendor Ticket Number", "Resolution Categorization Tier*"]

[search ((index="" OR index="_") (sourcetype="Remedy")) |eval Feedback="feedback message"
|fields "Incident ID",....
|search ("my search")
|table "Incident ID", "Feedback" ....]

Re: Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

Skins — Wed, 06 Dec 2017 00:31:34 GMT

Excuse the Hijack .. On a side note - if this is remedy AR ? how are you getting this info into Splunk ?

Re: Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

alfiyashaikh — Wed, 06 Dec 2017 05:21:48 GMT

extracting xls file from remedy and manually uploading it on Splunk enterprise