Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to generate a search that will display val...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prashanthberam
Explorer
03-29-2017
12:11 PM
Hi I have events coming from the servers. here we have some sample data.
2017-03-29 13:57:09.892 [WMQJCAResourceAdapter : 1424] [INFO ] [DCN 0201708802519120C] SplunkLog - DCN=0201708802519120C, CorrelationID=000970348003699784622353, TransactionTimestamp=2017-03-29 13:57:08.135, GroupNumber =00064939G, ServiceLinecount=3, SectionNumber=0009, CorporateEntityCode=TX1, ClaimType=0, VendorName=VERSCEND, VendorCode=CVP, TransactionCode=RSPUtilizationAmount=0, Department=213, CVPOutcomeCode=G, CVPClaimStatusCode=VA
2017-03-29 13:57:09.285 [WMQJCAResourceAdapter : 2216] [INFO ] [DCN 0201708802519120C] SplunkLog - DCN=0201708802519120C, CorrelationID=000970348003699784622353, TransactionTimestamp=2017-03-29 13:57:09.285, GroupNumber =00064939G, ServiceLinecount=3, SectionNumber=0009, CorporateEntityCode=TX1, ClaimType=0, VendorName=VERSCEND, VendorCode=CVP, TransactionCode=ACK, OutCome=C, Messagetext=ACCEPTED, CVPOutcomeCode=O, Department=213,
2017-03-29 13:57:07.379 [WMQJCAResourceAdapter : 2229] [INFO ] [DCN 0201708802519120C] SplunkLog - DCN=0201708802519120C, CorrelationID=000970348003699784622353, TransactionTimestamp=2017-03-29 13:57:07.379, GroupNumber =00064939G, ServiceLinecount=3, SectionNumber=0009, CorporateEntityCode=TX1, ClaimType=0, VendorName=VERSCEND, VendorCode=CVP, TransactionCode=REQ, Department=213, CVPOutcomeCode=O, CVPClaimStatusCode=VA,
here correlationId is unique key here
I want to display these values in a single table but here cvpoutcomecode and cvpclaimstatuscode will vary in these messages but sometimes not. I want to display those values in the table from which message is coming from either Req,ack,rsp.
Please need help ....thanks in advance
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-29-2017
12:40 PM
Give this a try
your base search
| eval CVPOutcomeCode_REQ=if(TransactionCode="REQ",CVPOutcomeCode,null())
| eval CVPClaimStatusCode_REQ=if(TransactionCode="REQ",CVPClaimStatusCode,null())
| eval CVPOutcomeCode_ACK=if(TransactionCode="ACK",CVPOutcomeCode,null())
| eval CVPClaimStatusCode_ACK=if(TransactionCode="ACK",CVPClaimStatusCode,null())
| eval CVPOutcomeCode_RSP=if(TransactionCode="RSP",CVPOutcomeCode,null())
| eval CVPClaimStatusCode_RSP=if(TransactionCode="RSP",CVPClaimStatusCode,null())
| stats min(_time) as _time values(*_REQ) as *_REQ values(*_ACK) as *_ACK values(*_RSP) as *_RSP values(TransactionCode) as TransactionCode
...add other fields here similar to TransactionCode...
by CorrelationID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-29-2017
12:40 PM
Give this a try
your base search
| eval CVPOutcomeCode_REQ=if(TransactionCode="REQ",CVPOutcomeCode,null())
| eval CVPClaimStatusCode_REQ=if(TransactionCode="REQ",CVPClaimStatusCode,null())
| eval CVPOutcomeCode_ACK=if(TransactionCode="ACK",CVPOutcomeCode,null())
| eval CVPClaimStatusCode_ACK=if(TransactionCode="ACK",CVPClaimStatusCode,null())
| eval CVPOutcomeCode_RSP=if(TransactionCode="RSP",CVPOutcomeCode,null())
| eval CVPClaimStatusCode_RSP=if(TransactionCode="RSP",CVPClaimStatusCode,null())
| stats min(_time) as _time values(*_REQ) as *_REQ values(*_ACK) as *_ACK values(*_RSP) as *_RSP values(TransactionCode) as TransactionCode
...add other fields here similar to TransactionCode...
by CorrelationID
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
03-29-2017
12:22 PM
Can you provide a mock table with output that you want (use this sample data as reference)?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
prashanthberam
Explorer
03-29-2017
12:31 PM
timestamp dcn Groupnumber CorrelationID sectionnum Corporateentity transactioncode cvpclaimstatuscode_req cvpclaimstatuscode_rsp cvpoutcomecode_req cvpoutcomecode_ack cvpoutcomecode_rsp department vendorname vendorcode
because am getting diffrent values cvpoutcomecode i need to know when it's coming
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
03-29-2017
12:20 PM
Try this:
... | list(TransactionCode) AS TransactionCode list(CVPOutcomeCode) AS CVPOutcomeCode list(CVPClaimStatusCode) AS CVPClaimStatusCode BY CorrelationID
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
