- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Col operation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
Is it possible to achieve this: My search has resulted in four columns
Column1 Column2 Column3 Column4
------ ------- ------- -------
Type1 Source1 OK(status) Item1
Type2 Source2 OK(status) Item2
Type3 Source3 BAD(status) Item3
Type4 Source4 OK(status) Item4
Type5 Source5 BAD(status) Item5
Type6 Source6 BAD(status) Item6
I wish to send an email periodically with this text:
At this time, Items: Item1, Item2, Item4 are OK, and Item3, Item5, Item6 are BAD.
Is it possible to filter Items based on Column3 and get all fields in a single line in order to put them in a message which will also be part of the resulting query?
If it is not possible to make both cases - OK and BAD in the same line, it would be nice to have only one working.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please try this?
YOUR_SEARCH
| eval Column3=replace(Column3,"\(status\)","")
| stats delim="," values(Column4) as Column4 by Column3 | mvcombine Column4
| transpose header_field=Column3
| eval OK = if(isnull(OK),"","Items: ".OK." are OK")
| eval BAD = if(isnull(BAD),"",BAD." are BAD")
| eval message="At this time,".OK." and ".BAD." are BAD."My Sample Search :
| makeresults
| eval _raw="Column1,Column2,Column3,Column4
Type1,Source1,OK(status),Item1
Type2,Source2,OK(status),Item2
Type3,Source3,BAD(status),Item3
Type4,Source4,OK(status),Item4
Type5,Source5,BAD(status),Item5
Type6,Source6,BAD(status),Item6"
| multikv forceheader=1
| eval Column3=replace(Column3,"\(status\)","")
| stats delim="," values(Column4) as Column4 by Column3 | mvcombine Column4
| transpose header_field=Column3
| eval OK = if(isnull(OK),"","Items: ".OK." are OK")
| eval BAD = if(isnull(BAD),"",BAD." are BAD")
| eval message="At this time,".OK." and ".BAD." are BAD."
You can change this search as per your requirement.
Thanks
KV
▄︻̷̿┻̿═━一 ?
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you please try this?
YOUR_SEARCH
| eval Column3=replace(Column3,"\(status\)","")
| stats delim="," values(Column4) as Column4 by Column3 | mvcombine Column4
| transpose header_field=Column3
| eval OK = if(isnull(OK),"","Items: ".OK." are OK")
| eval BAD = if(isnull(BAD),"",BAD." are BAD")
| eval message="At this time,".OK." and ".BAD." are BAD."My Sample Search :
| makeresults
| eval _raw="Column1,Column2,Column3,Column4
Type1,Source1,OK(status),Item1
Type2,Source2,OK(status),Item2
Type3,Source3,BAD(status),Item3
Type4,Source4,OK(status),Item4
Type5,Source5,BAD(status),Item5
Type6,Source6,BAD(status),Item6"
| multikv forceheader=1
| eval Column3=replace(Column3,"\(status\)","")
| stats delim="," values(Column4) as Column4 by Column3 | mvcombine Column4
| transpose header_field=Column3
| eval OK = if(isnull(OK),"","Items: ".OK." are OK")
| eval BAD = if(isnull(BAD),"",BAD." are BAD")
| eval message="At this time,".OK." and ".BAD." are BAD."
You can change this search as per your requirement.
Thanks
KV
▄︻̷̿┻̿═━一 ?
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @kamlesh_vaghela
It is perfect
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
