I have 20 searches to be performed on a single .csv log file . Every search results a different feedback like "missing value", "blank resolution", "breached" etc. I want all these feedbacks to be updated in a single "feedback" column in the output report .
I am stuck at :
1] How to get a textual feedback added to Feedback column after my search filters out the required events.
2] How to automate these 20 searches sequentially.
3] A single event can have more than 1 feedback.
Hi alfiyashaikh,
do you want to have only one search or do you have many searches and result must be added to the same csv output file?
in the first case you have to use the append command:
my_search_1
| rename column_field1 AS field column_message1 AS message
| table field message
| append [ search
my_search_2
| rename column_field2 AS field column_message2 AS message
| table field message
]
| append [ search
my_search_3
| rename column_field3 AS field column_message3 AS message
| table field message
]
| table field message
If instead you want to add result to an output csv file, you have to separately run your searches adding to the end the line
| outputcsv append=true my_outputfile.csv
Bye.
Giuseppe
Hi cusello and woodcock ,
Thank you for your help.
2] How to automate these 20 searches sequentially.
- "append" worked for this case.
For feedback:
1] How to get a textual feedback added to Feedback column after my search filters out the required events
By eval, I entered the feedback [|eval Feedback="Blank resolution" ], similarly added required feedback for each search .
3] A single event can have more than 1 feedback.
I used [ |outputcsv XYZcsvfile ] at the extreme end of my search
so I even got multiple feedback for single event.
I am lost. Do you have a working solution? Do you understand the pieces that have been shown so far? If not, you need to show sample data and a mockup of the desired solution or I don't think anyone will be able to dig deeper.
Input file in a Incident data log file"
((index="") (sourcetype="Remedy")) | eval Feedback="Feedback message"
|fields "Incident", "time", "Resolution", "Status", "Vendor Ticket Number", "Feedback"
|search (Resolution != "*why did it happen" AND Resolution != "closer") AND Status="Resolved"
|table "Incident ID", "Feedback" "_time", "Resolution", "Status", "Vendor Ticket Number"
|append [next search]
|append [next search]
|outputcsv output_csv_file
After running this search a new .csv is created in my C:\Program Files\Splunk\var\run\splunk\csv local folder.
It contains the required fields and respective feedbacks for all the searches appended
I tried using multireport too.
But it is not giving me any statistics table "NO results found" , and no. of events that it shows is also incorrect.
splunk doesn't take "multireport" as key word/library key word/ lib predefined word.
((index="") (sourcetype="Remedy"))
| multireport [ eval Feedback="BLANK RESOLUTION"
|fields "Incident ID", "_time", "Resolution", "Status", "Vendor Ticket Number", "Feedback", "Resolution Categorization Tier"
|search (Resolution != "why did it happen" AND Resolution != "closer") AND Status="Resolved"
|table "Incident ID", "Feedback" "_time", "Resolution", "Status", "Vendor Ticket Number", "Resolution Categorization Tier*"]
[search ((index="" OR index="_") (sourcetype="Remedy")) |eval Feedback="feedback message"
|fields "Incident ID",....
|search ("my search")
|table "Incident ID", "Feedback" ....]
Excuse the Hijack .. On a side note - if this is remedy AR ? how are you getting this info into Splunk ?
extracting xls file from remedy and manually uploading it on Splunk enterprise
Maybe you can use only 1 mega search and 20 clauses after a |multireport
after it. It would look like this:
|inputcsv YourFileHere | multireport
[SPL for analysis #1 here | table foo bar feedback]
. . . . . . . .
[SPL for analysis #20 here | table foo bar feedback]
| stats values(feedback) AS feedback BY foo bar
Check out this Q&A for a very similar conversation with many suggestions:
https://answers.splunk.com/answers/594332/pattern-loopable-lookup-table-to-bypass-map-subsea.html
Hi alfiyashaikh,
do you want to have only one search or do you have many searches and result must be added to the same csv output file?
in the first case you have to use the append command:
my_search_1
| rename column_field1 AS field column_message1 AS message
| table field message
| append [ search
my_search_2
| rename column_field2 AS field column_message2 AS message
| table field message
]
| append [ search
my_search_3
| rename column_field3 AS field column_message3 AS message
| table field message
]
| table field message
If instead you want to add result to an output csv file, you have to separately run your searches adding to the end the line
| outputcsv append=true my_outputfile.csv
Bye.
Giuseppe