Hi Team,
This appears to be a complex scenario to me to implement on Splunk
Below is the table i have on Splunk
In the above table, for check_ids (1.1.10, 1.1.14.... and so on ) there are multiple blank fields and i need to fill the blanks with a information in the lookup and condition.
Below is the lookup file.
In the lookup file, for each profile what all check_id are present is mentioned.
Here comes the problem statement.
In the first image above i want to fill the blanks to "unknown" if for that respective profile and check_id there is no entry in the lookup table.
For example - In the first row, the profile is "coreos-level-1" and there is blank for "1.1.10", "1.1.14", both these entries are not there in the lookup, so i want to replace blank with "Unknown", whereas if the check_id exists in the lookup then nothing needs to be filled and it can remain blank.
Can anyone help me with a logic to get this done in Splunk?
Give this a try
your currrent search giving fields instance, a field for each check_ids and profile
| eval temp=instance."#".profile | fields - instance profile
| untable temp Check_ID Val
| eval Profile=mvindex(split(temp,"#"),1)
| lookup YourLookupTable.csv Check_ID Profile OUTPUT Profile as Val2
| eval Val2=if(isnull(Val2),"Unknown",null())
| eval Val=coalesce(Val,Val2)
| xyseries temp Check_ID Val
| rex field=temp "(?<instance>.+)#(?<profile>.+)" | fields - temp
| table instance * profile
Give this a try
your currrent search giving fields instance, a field for each check_ids and profile
| eval temp=instance."#".profile | fields - instance profile
| untable temp Check_ID Val
| eval Profile=mvindex(split(temp,"#"),1)
| lookup YourLookupTable.csv Check_ID Profile OUTPUT Profile as Val2
| eval Val2=if(isnull(Val2),"Unknown",null())
| eval Val=coalesce(Val,Val2)
| xyseries temp Check_ID Val
| rex field=temp "(?<instance>.+)#(?<profile>.+)" | fields - temp
| table instance * profile
This guidance, made me get what i was looking for! Thanks
How was the top table created? Being in that format definitely complicates your search, so if you instead have access to the data used to create that table it may be easier to start with the raw data instead.
Also, please include these samples in text form, not screenshots. It's very difficult to work with sample data when you have to manually enter it in.