Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can you help me get this table from the following query?

dhirendra761
Contributor
‎11-23-2018 04:26 AM

HI All,

Below Query:

| convert ctime(_time) AS Date timeformat="%d/%m/%y" 
| eval File_Copied=case(File_Copied="NatCo 2","GE",File_Copied="natco 3","FR") 
| eval File_Created=case(File_Created="natco 2","GE",File_Created="NatCo 3","FR") 
| chart count(File_Copied) over Date  by File_Created | untable Date,File_Created,count
 |eval count=if(count>0,"OK","KO")|maketable Date,File_Created,count

generates:

 Date   |FR |GE
16/11/18|   OK  |KO
17/11/18|   KO  |OK
18/11/18|   KO  |KO

Now, I want blanks space entry when date is sunday or saturday and value is KO as below table:

Date    |FR |GE
    16/11/18|   OK  |KO
    17/11/18|         |OK
    18/11/18|         |

I have field day_wday, which have "sunday,saturday,friday values"
Can you please help me to get this table from my query.

Thank You.

Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-23-2018 04:37 AM

Hi dhirendra761,
did you tried to add at the end of your search an eval condition like the following:

| eval count=if((day_wday="saturday" OR day_wday="sunday") AND count="KO"," ",count)

Bye.
Giuseppe

0 Karma
Reply

dhirendra761
Contributor
‎11-23-2018 11:08 AM

Hi @cusello As you suggested, I applied on search but didn't get the expected result:
| convert ctime(_time) AS Date timeformat="%d/%m/%y"
| eval File_Copied=case(File_Copied="NatCo 1","GE",File_Copied="NatCo 2","SP",File_Copied="NatCo 4","UK",File_Copied="natco 3","FR")
| eval File_Created=case(File_Created="natco 1","GE",File_Created="natco 2","SP",File_Created="natco 4","UK",File_Created="NatCo 3","FR")
| chart count(File_Copied) over Date by File_Created 

| untable Date,File_Created,count 
| eval count=if(count>0,"OK","KO") | eval count=if((day_wday="saturday" OR day_wday="sunday") AND count="KO"," ",count)
| maketable Date,File_Created,count

Can you please suggest something else.

0 Karma
Reply

dhirendra761
Contributor
‎11-23-2018 04:29 AM

There were saturday and sunday on 17th and 18th.

0 Karma
Reply

dhirendra761
Contributor
‎11-23-2018 11:11 AM

I think I should not use Chart command for core-relation of table. Is there any other command which works as chart and gives correlated result between rows and columns.

0 Karma
Reply

dhirendra761
Contributor
‎11-23-2018 11:11 AM

@somesoni2 @woodcock

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...