Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: How to calculate on one event into different c...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jouman
Path Finder
04-26-2023
08:53 PM
Hi all,
I want to analyze several events and the fields in them.
Origianally, I use case() to capture one field(Causse) in A_EVENT, and 2 fields(Type, Scenario) in B_event.
(index="idx_message" Name="A_EVENT" OR Name="B_Event")
| rename "Data.Cause" as A_cause `comment("belong to A_Event")`
| rename "Data.Type" as B_type `comment("belong to B_Event")`
| rename "Data.Scenario" as B_scenario `comment("belong to B_Event")`
| eval Scenario_name=case(
Name="A_EVENT" AND A_cause=0, "A Cause: X reason",
Name="A_EVENT" AND A_cause=1, "A Cause: Y reason",
Name="B_Event" AND B_type=0, "B Type: a category",
Name="B_Event" AND B_type=1, "B Type: b category",
Name="B_Event" AND B_scenario=0, "B Scenario: description 1",
Name="B_Event" AND B_scenario=1, "B Scenario: description 2",
true(), null)
| where isnotnull(Scenario_name)
| chart limit=0 count by Scenario_name
However, while I check the output, the output will be
| Scenario_name | count |
| A Cause: X reason | 1 |
| A Cause: Y reason | 2 |
| B Type: a category | 3 |
| B Type: b category | 4 |
The scenario "B Scenario: description 1" and "B Scenario: description 2" are missing.
I found the reason comes from "B Scenario" and "B Type" is used to verdict the same event, if I use case(), I am unable to get any "B Scenario" because all the events will be verdicted as "B Type" already.
Is there any way to generate such output?
| Scenario_name | count |
| A Cause: X reason | 1 |
| A Cause: Y reason | 2 |
| B Type: a category | 3 |
| B Type: b category | 4 |
| B Scenario: description 1 | 2 |
| B Scenario: description 2 | 5 |
Thanks.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeahnah
Motivator
04-27-2023
03:10 PM
Hi @Jouman
OK I see and you're right the case statement will not work here.
Here's a run anywhere example that you could try.
index=dummy
| append [ | makeresults count=10 | streamstats count
| eval raw=if((count%2) = 0, "Name=A_EVENT Data.Cause=0:Name=B_Event Data.Type=0 Data.Scenario=1", "Name=A_EVENT Data.Cause=1:Name=B_Event Data.Type=1 Data.Scenario=0")
,raw=split(raw, ":")
| mvexpand raw
| rename raw AS _raw
]
| extract ``` use verbose mode ```
| rename Data_* AS Data.*
``` ^^^ create dummy events ^^^ ```
| rename "Data.Cause" as A_cause `comment("belong to A_Event")`
| rename "Data.Type" as B_type `comment("belong to B_Event")`
| rename "Data.Scenario" as B_scenario `comment("belong to B_Event")`
``` event B has two possible scenario types so make a new multivalue field then split and duplicate events by scenario type ```
| eval event_type=split(if(Name=="B_Event", "B_type=".B_type.":B_scenario=".B_scenario, "A_cause=".A_cause), ":")
| mvexpand event_type
| table Name event_type
| eval Scenario_name=case(
Name="A_EVENT" AND event_type="A_cause=0", "A Cause: X reason",
Name="A_EVENT" AND event_type="A_cause=1", "A Cause: Y reason",
Name="B_Event" AND event_type="B_type=0", "B Type: a category",
Name="B_Event" AND event_type="B_type=1", "B Type: b category",
Name="B_Event" AND event_type="B_scenario=0", "B Scenario: description 1",
Name="B_Event" AND event_type="B_scenario=1", "B Scenario: description 2",
true(), null())
| stats count BY Scenario_name
Hope that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeahnah
Motivator
04-27-2023
03:10 PM
Hi @Jouman
OK I see and you're right the case statement will not work here.
Here's a run anywhere example that you could try.
index=dummy
| append [ | makeresults count=10 | streamstats count
| eval raw=if((count%2) = 0, "Name=A_EVENT Data.Cause=0:Name=B_Event Data.Type=0 Data.Scenario=1", "Name=A_EVENT Data.Cause=1:Name=B_Event Data.Type=1 Data.Scenario=0")
,raw=split(raw, ":")
| mvexpand raw
| rename raw AS _raw
]
| extract ``` use verbose mode ```
| rename Data_* AS Data.*
``` ^^^ create dummy events ^^^ ```
| rename "Data.Cause" as A_cause `comment("belong to A_Event")`
| rename "Data.Type" as B_type `comment("belong to B_Event")`
| rename "Data.Scenario" as B_scenario `comment("belong to B_Event")`
``` event B has two possible scenario types so make a new multivalue field then split and duplicate events by scenario type ```
| eval event_type=split(if(Name=="B_Event", "B_type=".B_type.":B_scenario=".B_scenario, "A_cause=".A_cause), ":")
| mvexpand event_type
| table Name event_type
| eval Scenario_name=case(
Name="A_EVENT" AND event_type="A_cause=0", "A Cause: X reason",
Name="A_EVENT" AND event_type="A_cause=1", "A Cause: Y reason",
Name="B_Event" AND event_type="B_type=0", "B Type: a category",
Name="B_Event" AND event_type="B_type=1", "B Type: b category",
Name="B_Event" AND event_type="B_scenario=0", "B Scenario: description 1",
Name="B_Event" AND event_type="B_scenario=1", "B Scenario: description 2",
true(), null())
| stats count BY Scenario_name
Hope that helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jouman
Path Finder
04-28-2023
02:52 AM
@yeahnah Thank you very much. I tried and the code works well. This really helps me a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeahnah
Motivator
04-26-2023
09:50 PM
Hi @Jouman
It's always preferable to provide an example of the raw event(s). Obfuscate or remove sensitive data, if any.
Please use the Insert/Edit code sample when adding example data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jouman
Path Finder
04-27-2023
05:47 AM
@yeahnah Thanks for the suggestion. I rewrite my question and hope that would be clear.
Thank you!
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
