I have a field named Issues Reported, whose values go something like this.
Question 1. Can I use these values and create a exact duplicate field called "Temp" with the exact same values as Issues Reported, then use Temp and Issues Reported values and create something like this:
Where Issues headlines represent an overview of the issue, extracted from "Temp" and Issue Reported contains the values extracted from "Issues Reported"
Any help will be appreciated.
Here is one way you might be able to do it:
| makeresults | eval Issues="Windows account is locked, AD/Windows locked issues, SAP Account is locked. User Australia, My Windows account is locked., Unable to login to SAP, My Oracle account is locked, Reset my windows account password" | fields - _time | makemv delim="," Issues | mvexpand Issues | eval Issues_h=case(like(upper(Issues),upper("%Windows%")), "Windows Account Issue", like(upper(Issues),upper("%SAP%")), "SAP Related Issues", like(upper(Issues),upper("%Oracle%")), "Oracle Related Issues") | stats list(Issues) as "Issues Reported" by Issues_h | rename Issues_h as "Issue Headlines"
What you would need is everything from "| mvexpand Issues" on, adjusting for fieldnames, The key component here is the "eval Issues_h" part. What that does is assign an Issue Headline to each issue reported. What it does is case insensitive match on keywords like Windows, SAP, and Oracle. You can add additional headline labels and keyword matching as needed. Another way to do this is using match in the eval instead of like and using regex to find specific patterns in the text. Does this help? Let me know if you have any questions!
It's perfect. I just used eval Issues=upper(Issues) command to turn the field values in Upper case. Thank you.