Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to show multiple values in one value

aditsss
Motivator
‎01-21-2021 12:03 PM

Hi All,

I have one requirement:

I have one lookup where there is one column Case_Status. It has multiple values  for Case status:

Resolved

Closed- Resolved

Resolved - UpdateCase

Submitted

Pending 

Escalated

My requirement is I need only two values that is open and closed

I need to include Resolved submitted and pending in OPEN and Escalated, Resolved and Resolved Update Case in Closed.

How can I achieve this.

My current query:

|inputlookup Sdf.csv| table CaseStatus | dedup CaseStatus

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-22-2021 01:33 AM

Hi @aditsss,

You have missing comma, please try below;

| inputlookup mnr_rally_defects.csv 
| sort -rundatetime 
| dedup state 
| eval state=case(state="Submitted" OR state="Fixed" OR state="Open", "OPEN", state="Closed","Closed", 1==1,state) 
| table rundatetime state

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-21-2021 12:20 PM

You could add a column to the lookup, but it might be easiest to map the status values using a case statement.

|inputlookup Sdf.csv
| fields CaseStatus 
| dedup CaseStatus
| eval CaseStatus=case(CaseStatus="Resolved" OR CaseStatus="Submitted" OR CaseStatus="Pending", "OPEN", CaseStatus="Escalated" OR CaseStatus="Closed- Resolved" OR CaseStatus="Resolved - UpdateCase", "Closed", 1==1,CaseStatus)
| table CaseStatus
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

aditsss
Motivator
‎01-21-2021 12:56 PM

@richgalloway 

 

I tried like this:

|inputlookup mnr_rally_defects.csv| sort -rundatetime| dedup state| eval state=case(state="Submitted" OR state="Fixed" OR state="Open", "OPEN", state="Closed" "Closed", 1==1,state)|table rundatetime state

I am getting error as :

Error in 'eval' command: The expression is malformed. Expected ).

0 Karma
Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎01-22-2021 01:33 AM

Hi @aditsss,

You have missing comma, please try below;

| inputlookup mnr_rally_defects.csv 
| sort -rundatetime 
| dedup state 
| eval state=case(state="Submitted" OR state="Fixed" OR state="Open", "OPEN", state="Closed","Closed", 1==1,state) 
| table rundatetime state

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

aditsss
Motivator
‎01-22-2021 01:54 AM

@scelikok 

I want to merge three columns submitted,fixed and open as one column Open and closed and resolved as closed.All these columns contains numeric values.

Will the below query correct.

0 Karma
Reply
Solved! Jump to solution

scelikok
SplunkTrust
SplunkTrust
‎01-22-2021 02:04 AM

@aditsss,

The query is only missing resolved state, I added below. But I couldn't understand "All these columns contains numeric values". I think you meant about some other columns since state columns are string in your search. If you can post some sample data, we can have better recommendation.

| inputlookup mnr_rally_defects.csv 
| sort -rundatetime 
| dedup state 
| eval state=case(state="Submitted" OR state="Fixed" OR state="Open", "OPEN", state="Closed" OR state="Resolved","Closed", 1==1,state) 
| table rundatetime state

 

If this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply
Solved! Jump to solution

FelixLeh
Contributor
‎01-22-2021 01:09 AM

When using case end the brackets with

 ,true(), "exampleValue")

as an option if none of your previous cases are True

(I'm relatively new to Splunk so take my thoughts with a grain of salt)

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎01-21-2021 09:10 PM

@richgalloway 

Can you guide me on this.

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎01-21-2021 09:25 PM

@richgalloway 

 

I want to display two columns OPEN and Closed in a table .

I want to include Submitted,Fixed in OPEN column and Closed,Resolved in  Closed column.

Can you guide me on this.

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎01-22-2021 12:46 AM

@richgalloway 

 

Please guide me on this.

0 Karma
Reply
Solved! Jump to solution

bapun18
Communicator
‎01-21-2021 12:15 PM

Hi You can try,
Something like |stats first(CaseStatus) as Case_Status

or
|stats min(CaseStatus) as Case_Status 

even try |stats value(*) AS * by CaseStatus if that help

0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎01-21-2021 12:18 PM

@bapun18 

How can I include my values in Two fields:

I want to create one field open and want to include submitted pending in OPEN and Rest in closed.

Can you guide me on that.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...