Solved: Col operation

mandyst · ‎07-19-2021

Hi everyone,

Is it possible to achieve this: My search has resulted in four columns

Column1       Column2          Column3         Column4
------         -------                   -------    -------
Type1             Source1            OK(status)    Item1
Type2             Source2            OK(status)    Item2
Type3 Source3            BAD(status)   Item3
Type4             Source4            OK(status)      Item4
Type5             Source5            BAD(status)    Item5
Type6             Source6            BAD(status)    Item6

I wish to send an email periodically with this text:

At this time, Items: Item1, Item2, Item4 are OK, and Item3, Item5, Item6 are BAD.

Is it possible to filter Items based on Column3 and get all fields in a single line in order to put them in a message which will also be part of the resulting query?

If it is not possible to make both cases - OK and BAD in the same line, it would be nice to have only one working.

kamlesh_vaghela · ‎07-19-2021

@mandyst

Can you please try this?

YOUR_SEARCH
| eval Column3=replace(Column3,"\(status\)","") 
| stats  delim="," values(Column4) as Column4 by Column3 | mvcombine Column4
| transpose header_field=Column3
| eval OK = if(isnull(OK),"","Items: ".OK." are OK")
| eval BAD = if(isnull(BAD),"",BAD." are BAD")
| eval message="At this time,".OK." and ".BAD." are BAD."

My Sample Search :

| makeresults 
| eval _raw="Column1,Column2,Column3,Column4
Type1,Source1,OK(status),Item1
Type2,Source2,OK(status),Item2
Type3,Source3,BAD(status),Item3
Type4,Source4,OK(status),Item4
Type5,Source5,BAD(status),Item5
Type6,Source6,BAD(status),Item6" 
| multikv forceheader=1 
| eval Column3=replace(Column3,"\(status\)","") 
| stats  delim="," values(Column4) as Column4 by Column3 | mvcombine Column4
| transpose header_field=Column3
| eval OK = if(isnull(OK),"","Items: ".OK." are OK")
| eval BAD = if(isnull(BAD),"",BAD." are BAD")
| eval message="At this time,".OK." and ".BAD." are BAD."

You can change this search as per your requirement.

Thanks
KV
▄︻̷̿┻̿═━一 ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎07-19-2021

@mandyst

Can you please try this?

YOUR_SEARCH
| eval Column3=replace(Column3,"\(status\)","") 
| stats  delim="," values(Column4) as Column4 by Column3 | mvcombine Column4
| transpose header_field=Column3
| eval OK = if(isnull(OK),"","Items: ".OK." are OK")
| eval BAD = if(isnull(BAD),"",BAD." are BAD")
| eval message="At this time,".OK." and ".BAD." are BAD."

My Sample Search :

| makeresults 
| eval _raw="Column1,Column2,Column3,Column4
Type1,Source1,OK(status),Item1
Type2,Source2,OK(status),Item2
Type3,Source3,BAD(status),Item3
Type4,Source4,OK(status),Item4
Type5,Source5,BAD(status),Item5
Type6,Source6,BAD(status),Item6" 
| multikv forceheader=1 
| eval Column3=replace(Column3,"\(status\)","") 
| stats  delim="," values(Column4) as Column4 by Column3 | mvcombine Column4
| transpose header_field=Column3
| eval OK = if(isnull(OK),"","Items: ".OK." are OK")
| eval BAD = if(isnull(BAD),"",BAD." are BAD")
| eval message="At this time,".OK." and ".BAD." are BAD."

You can change this search as per your requirement.

Thanks
KV
▄︻̷̿┻̿═━一 ?

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

mandyst · ‎07-20-2021

Thank you @kamlesh_vaghela

It is perfect

Col operation

fields

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...