Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlation based on 3 fields and find events in between, one of the fields in multivalue

adonio
Ultra Champion
‎04-23-2018 10:24 AM

Hello Splunkers,
battling with this all morning and seeking your assistance.
i have a CSV data set from a car workshop as below, the field "replaced_parts" is a product number and can take any number of values, here i changed to part name for convenience. 

date,make,model,car_id,replaced_parts,
4/4/2014,VW,Jetta,123,battery,
4/5/2014,RR,Phantom,234,"head light" "rear light",
4/6/2014,Renault,Clio,345,engine,
4/4/2015,VW,Jetta,123,battery alternator,
4/5/2015,RR,Phantom,234,bumper",
4/6/2015,Renault,Clio,345,transmission,
4/6/2016,Renault,Clio,345,engine,

i am trying to find whether the same car_id had the same part replaced in consecutive visits to the shop as well as other parts that might had impact on that replaced part. for example car # 123 should appear and car # 234 should not.
also, i am trying to capture whether the same car was in another visit and replaced another part/s and place that value/s in a new field.
example desired result would be:

last_date|car_id |make  |model|commun_replaced_parts|maybe_related_part
4/4/2015|123   | VW       |Jetta   |battery                                |alternator,
4/6/2016|345   |Renault|Clio    |engine                                 |transmission

thanks in advance for your help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-23-2018 11:58 AM

Give this a try

| gentimes start=-1 | eval temp="4/4/2014,VW,Jetta,123,battery,#4/5/2014,RR,Phantom,234,\"head light\" \"rear light\",#4/6/2014,Renault,Clio,345,engine,#4/4/2015,VW,Jetta,123,battery alternator,#4/5/2015,RR,Phantom,234,bumper,##4/6/2015,Renault,Clio,345,transmission,#4/6/2016,Renault,Clio,345,engine," | makemv temp delim="#" | mvexpand temp | table temp | rex field=temp "(?<date>[^,]+),(?<make>[^,]+),(?<model>[^,]+),(?<carid>[^,]+),(?<replaced_parts>[^,]+),"  
| rename COMMENT as "Above portion generates the sample data"
| eval date=strptime(date,"%m/%d/%Y") | eval replaced_parts=if(match(replaced_parts,"\""),replace(replace(replaced_parts,"\"\s+\"",","),"\"",""),replace(replaced_parts,"\s+",",")) | makemv replaced_parts delim="," | mvexpand replaced_parts 
| rename COMMENT as "Above portion expands the replaced_parts in case there are multiple parts "
| eventstats dc(date) as dates by make model carid replaced_parts | eval common_parts=if(dates>1,replaced_parts,null()) | eval alternate_parts=if(dates=1,replaced_parts,null()) | stats max(date) as last_date max(dates) as dates values(*_parts) as *_parts by carid model make | where dates=2 | table  last_date  carid make model common_parts alternate_parts | eval last_date=strftime(last_date,"%m/%d/%Y")

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-23-2018 11:58 AM

Give this a try

| gentimes start=-1 | eval temp="4/4/2014,VW,Jetta,123,battery,#4/5/2014,RR,Phantom,234,\"head light\" \"rear light\",#4/6/2014,Renault,Clio,345,engine,#4/4/2015,VW,Jetta,123,battery alternator,#4/5/2015,RR,Phantom,234,bumper,##4/6/2015,Renault,Clio,345,transmission,#4/6/2016,Renault,Clio,345,engine," | makemv temp delim="#" | mvexpand temp | table temp | rex field=temp "(?<date>[^,]+),(?<make>[^,]+),(?<model>[^,]+),(?<carid>[^,]+),(?<replaced_parts>[^,]+),"  
| rename COMMENT as "Above portion generates the sample data"
| eval date=strptime(date,"%m/%d/%Y") | eval replaced_parts=if(match(replaced_parts,"\""),replace(replace(replaced_parts,"\"\s+\"",","),"\"",""),replace(replaced_parts,"\s+",",")) | makemv replaced_parts delim="," | mvexpand replaced_parts 
| rename COMMENT as "Above portion expands the replaced_parts in case there are multiple parts "
| eventstats dc(date) as dates by make model carid replaced_parts | eval common_parts=if(dates>1,replaced_parts,null()) | eval alternate_parts=if(dates=1,replaced_parts,null()) | stats max(date) as last_date max(dates) as dates values(*_parts) as *_parts by carid model make | where dates=2 | table  last_date  carid make model common_parts alternate_parts | eval last_date=strftime(last_date,"%m/%d/%Y")
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-23-2018 12:10 PM

@somesoni2, thank you very much!
works nice like the RR

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...