Splunk Search

Automating 20 diffrent searches on a single .csv log file , and getting textual feedback from this searches added to report.

alfiyashaikh
New Member

I have 20 searches to be performed on a single .csv log file . Every search results a different feedback like "missing value", "blank resolution", "breached" etc. I want all these feedbacks to be updated in a single "feedback" column in the output report .

I am stuck at :
1] How to get a textual feedback added to Feedback column after my search filters out the required events.
2] How to automate these 20 searches sequentially.
3] A single event can have more than 1 feedback.

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi alfiyashaikh,
do you want to have only one search or do you have many searches and result must be added to the same csv output file?

in the first case you have to use the append command:

my_search_1
| rename column_field1 AS field column_message1 AS message
| table field message
| append [ search 
     my_search_2
    | rename column_field2 AS field column_message2 AS message
    | table field message
    ]
| append [ search 
     my_search_3
    | rename column_field3 AS field column_message3 AS message
    | table field message
    ]
| table field message

If instead you want to add result to an output csv file, you have to separately run your searches adding to the end the line

| outputcsv append=true my_outputfile.csv

Bye.
Giuseppe

View solution in original post

0 Karma

alfiyashaikh
New Member

Hi cusello and woodcock ,

Thank you for your help.

2] How to automate these 20 searches sequentially.
- "append" worked for this case.

For feedback:
1] How to get a textual feedback added to Feedback column after my search filters out the required events

By eval, I entered the feedback [|eval Feedback="Blank resolution" ], similarly added required feedback for each search .

3] A single event can have more than 1 feedback.
I used [ |outputcsv XYZcsvfile ] at the extreme end of my search
so I even got multiple feedback for single event.

0 Karma

woodcock
Esteemed Legend

I am lost. Do you have a working solution? Do you understand the pieces that have been shown so far? If not, you need to show sample data and a mockup of the desired solution or I don't think anyone will be able to dig deeper.

0 Karma

alfiyashaikh
New Member

Input file in a Incident data log file"


((index="") (sourcetype="Remedy")) | eval Feedback="Feedback message"
|fields "Incident", "time", "Resolution", "Status", "Vendor Ticket Number", "Feedback"
|search (Resolution != "*why did it happen
" AND Resolution != "closer") AND Status="Resolved"
|table "Incident ID", "Feedback" "_time", "Resolution", "Status", "Vendor Ticket Number"

|append [next search]
|append [next search]

|outputcsv output_csv_file


After running this search a new .csv is created in my C:\Program Files\Splunk\var\run\splunk\csv local folder.
It contains the required fields and respective feedbacks for all the searches appended

0 Karma

alfiyashaikh
New Member

I tried using multireport too.
But it is not giving me any statistics table "NO results found" , and no. of events that it shows is also incorrect.
splunk doesn't take "multireport" as key word/library key word/ lib predefined word.


((index="") (sourcetype="Remedy"))
| multireport [ eval Feedback="BLANK RESOLUTION"
|fields "Incident ID", "_time", "Resolution", "Status", "Vendor Ticket Number", "Feedback", "Resolution Categorization Tier
"
|search (Resolution != "why did it happen" AND Resolution != "closer") AND Status="Resolved"
|table "Incident ID", "Feedback" "_time", "Resolution", "Status", "Vendor Ticket Number", "Resolution Categorization Tier*"]

[search ((index="" OR index="_") (sourcetype="Remedy")) |eval Feedback="feedback message"
|fields "Incident ID",....
|search ("my search")
|table "Incident ID", "Feedback" ....]


0 Karma

Skins
Path Finder

Excuse the Hijack .. On a side note - if this is remedy AR ? how are you getting this info into Splunk ?

0 Karma

alfiyashaikh
New Member

extracting xls file from remedy and manually uploading it on Splunk enterprise

0 Karma

woodcock
Esteemed Legend

Maybe you can use only 1 mega search and 20 clauses after a |multireport after it. It would look like this:

|inputcsv YourFileHere | multireport
[SPL for analysis #1 here | table foo bar feedback]
. . . . . . . .
[SPL for analysis #20 here | table foo bar feedback]
| stats values(feedback) AS feedback BY foo bar
0 Karma

woodcock
Esteemed Legend

Check out this Q&A for a very similar conversation with many suggestions:

https://answers.splunk.com/answers/594332/pattern-loopable-lookup-table-to-bypass-map-subsea.html

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi alfiyashaikh,
do you want to have only one search or do you have many searches and result must be added to the same csv output file?

in the first case you have to use the append command:

my_search_1
| rename column_field1 AS field column_message1 AS message
| table field message
| append [ search 
     my_search_2
    | rename column_field2 AS field column_message2 AS message
    | table field message
    ]
| append [ search 
     my_search_3
    | rename column_field3 AS field column_message3 AS message
    | table field message
    ]
| table field message

If instead you want to add result to an output csv file, you have to separately run your searches adding to the end the line

| outputcsv append=true my_outputfile.csv

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...