Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Correlation based on 3 fields and find events in between, one of the fields in multivalue

adonio
Ultra Champion
‎04-23-2018 10:24 AM

Hello Splunkers,
battling with this all morning and seeking your assistance.
i have a CSV data set from a car workshop as below, the field "replaced_parts" is a product number and can take any number of values, here i changed to part name for convenience. 

date,make,model,car_id,replaced_parts,
4/4/2014,VW,Jetta,123,battery,
4/5/2014,RR,Phantom,234,"head light" "rear light",
4/6/2014,Renault,Clio,345,engine,
4/4/2015,VW,Jetta,123,battery alternator,
4/5/2015,RR,Phantom,234,bumper",
4/6/2015,Renault,Clio,345,transmission,
4/6/2016,Renault,Clio,345,engine,

i am trying to find whether the same car_id had the same part replaced in consecutive visits to the shop as well as other parts that might had impact on that replaced part. for example car # 123 should appear and car # 234 should not.
also, i am trying to capture whether the same car was in another visit and replaced another part/s and place that value/s in a new field.
example desired result would be:

last_date|car_id |make  |model|commun_replaced_parts|maybe_related_part
4/4/2015|123   | VW       |Jetta   |battery                                |alternator,
4/6/2016|345   |Renault|Clio    |engine                                 |transmission

thanks in advance for your help

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-23-2018 11:58 AM

Give this a try

| gentimes start=-1 | eval temp="4/4/2014,VW,Jetta,123,battery,#4/5/2014,RR,Phantom,234,\"head light\" \"rear light\",#4/6/2014,Renault,Clio,345,engine,#4/4/2015,VW,Jetta,123,battery alternator,#4/5/2015,RR,Phantom,234,bumper,##4/6/2015,Renault,Clio,345,transmission,#4/6/2016,Renault,Clio,345,engine," | makemv temp delim="#" | mvexpand temp | table temp | rex field=temp "(?<date>[^,]+),(?<make>[^,]+),(?<model>[^,]+),(?<carid>[^,]+),(?<replaced_parts>[^,]+),"  
| rename COMMENT as "Above portion generates the sample data"
| eval date=strptime(date,"%m/%d/%Y") | eval replaced_parts=if(match(replaced_parts,"\""),replace(replace(replaced_parts,"\"\s+\"",","),"\"",""),replace(replaced_parts,"\s+",",")) | makemv replaced_parts delim="," | mvexpand replaced_parts 
| rename COMMENT as "Above portion expands the replaced_parts in case there are multiple parts "
| eventstats dc(date) as dates by make model carid replaced_parts | eval common_parts=if(dates>1,replaced_parts,null()) | eval alternate_parts=if(dates=1,replaced_parts,null()) | stats max(date) as last_date max(dates) as dates values(*_parts) as *_parts by carid model make | where dates=2 | table  last_date  carid make model common_parts alternate_parts | eval last_date=strftime(last_date,"%m/%d/%Y")

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-23-2018 11:58 AM

Give this a try

| gentimes start=-1 | eval temp="4/4/2014,VW,Jetta,123,battery,#4/5/2014,RR,Phantom,234,\"head light\" \"rear light\",#4/6/2014,Renault,Clio,345,engine,#4/4/2015,VW,Jetta,123,battery alternator,#4/5/2015,RR,Phantom,234,bumper,##4/6/2015,Renault,Clio,345,transmission,#4/6/2016,Renault,Clio,345,engine," | makemv temp delim="#" | mvexpand temp | table temp | rex field=temp "(?<date>[^,]+),(?<make>[^,]+),(?<model>[^,]+),(?<carid>[^,]+),(?<replaced_parts>[^,]+),"  
| rename COMMENT as "Above portion generates the sample data"
| eval date=strptime(date,"%m/%d/%Y") | eval replaced_parts=if(match(replaced_parts,"\""),replace(replace(replaced_parts,"\"\s+\"",","),"\"",""),replace(replaced_parts,"\s+",",")) | makemv replaced_parts delim="," | mvexpand replaced_parts 
| rename COMMENT as "Above portion expands the replaced_parts in case there are multiple parts "
| eventstats dc(date) as dates by make model carid replaced_parts | eval common_parts=if(dates>1,replaced_parts,null()) | eval alternate_parts=if(dates=1,replaced_parts,null()) | stats max(date) as last_date max(dates) as dates values(*_parts) as *_parts by carid model make | where dates=2 | table  last_date  carid make model common_parts alternate_parts | eval last_date=strftime(last_date,"%m/%d/%Y")
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎04-23-2018 12:10 PM

@somesoni2, thank you very much!
works nice like the RR

0 Karma
Reply
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...