Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Back-computation using table contents

vigneshtv
Explorer
‎03-11-2020 10:05 PM

I have categories.csv that contains list of sub-categories in each category

Category,Sub_category
Biology,Botany
Biology,Zoology
Physical_Science,Physics
Physical_Science,Chemistry

In another file I have the results for all sub-categories

Subject,Result
Botany,Pass
Zoology,Fail
Physics,Being_revaluted
Chemistry,Pass

I need to compute the overall result per category like

Biology,Physical_Science
Fail,Being_revaluted

Please help me achieve the above mentioned objective

I am able to extract the list of sub-categories in any particular category, say Biology, using the below code

source="/tmp/categories.csv" host="pc1" index="my_index" Category="Biology" | eval Sub_cat=Sub_category | search Category=Biology | table Category Sub_cat

The above code gives

Category,Sub_cat
Biology,Botony
Biology,Zoology

0 Karma
Reply

woodcock
Esteemed Legend
‎03-14-2020 06:51 PM

Something like this:

|inputlookup AnotherFileWithResults.csv
| lookup categories.csv Sub_category AS Subject
| chart count BY Category Result
0 Karma
Reply

manjunathmeti
Champion
‎03-11-2020 10:14 PM

Try this:

source="/tmp/categories.csv" host="pc1" index="my_index" Category="Biology" 
| fields Category Sub_category 
| append 
    [ search source="/tmp/sub-categories.csv" host="pc1" index="my_index" 
    | eval Sub_category= Subject 
    | fields Sub_category, Result] 
| stats values(*) as * by Sub_category
| xyseries Sub_category Category Result
Reply

vigneshtv
Explorer
‎03-11-2020 11:33 PM

Using your code, I am getting the results in terms of sub-categories like

Sub_category,Category,Result
Botany,Biology,Pass
Zoology,Biology,Fail ...

But I need them only in-terms of categories like

Biology,Physical_Science
Fail,Being_revaluted

Fail + Fail/Pass/Being_revaluted = Fail,
Pass + Pass = Pass,
Pass + Being_revaluted = Being_revaluted

0 Karma
Reply

manjunathmeti
Champion
‎03-12-2020 12:58 AM

Try this:

source="/tmp/categories.csv" host="pc1" index="my_index" Category="Biology" 
| fields Category Sub_category 
| append 
    [ search source="/tmp/sub-categories.csv" host="pc1" index="my_index" 
    | eval Sub_category= Subject 
    | fields Sub_category, Result] 
| stats values(*) as * by Sub_category 
| stats values(Result) as Result by Category 
| eval Result=case(match(Result, "Fail"), "Fail", match(Result, "Being_revaluted"), "Being_revaluted", 1==1, "Pass")
0 Karma
Reply

vigneshtv
Explorer
‎03-11-2020 10:11 PM

*Minor changes to my code:

source="/tmp/categories.csv" host="pc1" index="my_index" Category=Biology | eval Subject=Sub_category | table Category Subject

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...
Top