Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me get this table from the following query?

dhirendra761
Contributor
‎11-23-2018 04:26 AM

HI All,

Below Query:

| convert ctime(_time) AS Date timeformat="%d/%m/%y" 
| eval File_Copied=case(File_Copied="NatCo 2","GE",File_Copied="natco 3","FR") 
| eval File_Created=case(File_Created="natco 2","GE",File_Created="NatCo 3","FR") 
| chart count(File_Copied) over Date  by File_Created | untable Date,File_Created,count
 |eval count=if(count>0,"OK","KO")|maketable Date,File_Created,count

generates:

 Date   |FR |GE
16/11/18|   OK  |KO
17/11/18|   KO  |OK
18/11/18|   KO  |KO

Now, I want blanks space entry when date is sunday or saturday and value is KO as below table:

Date    |FR |GE
    16/11/18|   OK  |KO
    17/11/18|         |OK
    18/11/18|         |

I have field day_wday, which have "sunday,saturday,friday values"
Can you please help me to get this table from my query.

Thank You.

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-23-2018 04:37 AM

Hi dhirendra761,
did you tried to add at the end of your search an eval condition like the following:

| eval count=if((day_wday="saturday" OR day_wday="sunday") AND count="KO"," ",count)

Bye.
Giuseppe

0 Karma
Reply

dhirendra761
Contributor
‎11-23-2018 11:08 AM

Hi @Anonymous As you suggested, I applied on search but didn't get the expected result:
| convert ctime(_time) AS Date timeformat="%d/%m/%y"
| eval File_Copied=case(File_Copied="NatCo 1","GE",File_Copied="NatCo 2","SP",File_Copied="NatCo 4","UK",File_Copied="natco 3","FR")
| eval File_Created=case(File_Created="natco 1","GE",File_Created="natco 2","SP",File_Created="natco 4","UK",File_Created="NatCo 3","FR")
| chart count(File_Copied) over Date by File_Created 

| untable Date,File_Created,count 
| eval count=if(count>0,"OK","KO") | eval count=if((day_wday="saturday" OR day_wday="sunday") AND count="KO"," ",count)
| maketable Date,File_Created,count

Can you please suggest something else.

0 Karma
Reply

dhirendra761
Contributor
‎11-23-2018 04:29 AM

There were saturday and sunday on 17th and 18th.

0 Karma
Reply

dhirendra761
Contributor
‎11-23-2018 11:11 AM

I think I should not use Chart command for core-relation of table. Is there any other command which works as chart and gives correlated result between rows and columns.

0 Karma
Reply

dhirendra761
Contributor
‎11-23-2018 11:11 AM

@somesoni2 @woodcock

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...