Archive
Highlighted

Using values of a field, compare them in another field and pulling relevant data into one

Communicator

Hi All,

I have a field named Issues Reported, whose values go something like this.

alt text

Question 1. Can I use these values and create a exact duplicate field called "Temp" with the exact same values as Issues Reported, then use Temp and Issues Reported values and create something like this:
Where Issues headlines represent an overview of the issue, extracted from "Temp" and Issue Reported contains the values extracted from "Issues Reported"

alt text

Any help will be appreciated.

Thanks,

Tags (1)
0 Karma
Highlighted

Re: Using values of a field, compare them in another field and pulling relevant data into one

SplunkTrust
SplunkTrust

Here is one way you might be able to do it:

| makeresults 
| eval Issues="Windows account is locked, AD/Windows locked issues, SAP Account is locked. User Australia, My Windows account is locked., Unable to login to SAP, My Oracle account is locked, Reset my windows account password" 
| fields - _time 
| makemv delim="," Issues 
| mvexpand Issues 
| eval Issues_h=case(like(upper(Issues),upper("%Windows%")), "Windows Account Issue", like(upper(Issues),upper("%SAP%")), "SAP Related Issues", like(upper(Issues),upper("%Oracle%")), "Oracle Related Issues")
| stats list(Issues) as "Issues Reported" by Issues_h
| rename Issues_h as "Issue Headlines"

What you would need is everything from "| mvexpand Issues" on, adjusting for fieldnames, The key component here is the "eval Issues_h" part. What that does is assign an Issue Headline to each issue reported. What it does is case insensitive match on keywords like Windows, SAP, and Oracle. You can add additional headline labels and keyword matching as needed. Another way to do this is using match in the eval instead of like and using regex to find specific patterns in the text. Does this help? Let me know if you have any questions!

View solution in original post

Highlighted

Re: Using values of a field, compare them in another field and pulling relevant data into one

Communicator

Hello,

It's perfect. I just used eval Issues=upper(Issues) command to turn the field values in Upper case. Thank you.

0 Karma