Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to write a search that uses eval to show the difference between two assignment groups?

soniquella
Path Finder
‎09-13-2018 12:37 AM

I am attempting to write a search which uses eval show the difference between two assignment groups. A number of assignment groups which all begin with ABC. I want to group all of these as 'IDS'.I then want to show the allocated tickets to IDS and stack against the OTHER assignment group (which does not start with ABC). I then want this to show as a timechart stacked week by week.
This is what I have:

index="myindex" sourcetype="csv" "Assignment group"="wildcard*" | eval IDS=if(like("Assignment group","ABC*"),"IDS","OTHER") |timechart span=1w count by "Assignment group".

Can anyone advise what I am doing wrong here? The timechart shows individual ABC-**** groups in the chart rather than grouped IDS results against OTHER.

Thanks in advance for any help.
Rob.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎09-13-2018 01:38 AM

@soniquella ,
If you want them to be grouped as IDs , then you should group by IDS, instead of "Assignment group"

Also use match instead of like and rename "Assignment group" to Assignment_group

For e.g. 

index="myindex" sourcetype="csv" "Assignment group"="wildcard*" |rename "Assignment group" as Assignment_group
| eval IDS=if(match(Assignment_group,"ABC"),"IDS","OTHER") |timechart span=1w count by IDS
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎09-13-2018 01:38 AM

@soniquella ,
If you want them to be grouped as IDs , then you should group by IDS, instead of "Assignment group"

Also use match instead of like and rename "Assignment group" to Assignment_group

For e.g. 

index="myindex" sourcetype="csv" "Assignment group"="wildcard*" |rename "Assignment group" as Assignment_group
| eval IDS=if(match(Assignment_group,"ABC"),"IDS","OTHER") |timechart span=1w count by IDS
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

soniquella
Path Finder
‎09-13-2018 01:50 AM

Thanks for your response.

In either case, I am only seeing 1 set of results. Ideally I would like to see all ABC groups as IDS against remaining OTHER:
index="myindex" sourcetype="csv" "Assignment group"="" | eval Assignment_Grp=if(match("Assignment group","ABC"),"IDS","OTHER") | timechart span=1w count by "Assignment_Grp"

I am ONLY seeing results for OTHER and not IDS? I think I am missing something here?

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎09-13-2018 02:02 AM

@soniquella ,

Do you mind renaming "Assignment group" to Assignment_Group before the comparison and change it as 

index="myindex" sourcetype="csv" "Assignment group"="" |rename "Assignment group" as Assignment_Group
| eval IDS=if(match(Assignment_Group,"ABC"),"IDS","OTHER") | timechart span=1w count by IDS
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

soniquella
Path Finder
‎09-13-2018 02:17 AM

Thank you once more for your help.

Sadly this is still only showing results for OTHER and none for IDS.

index="myindex" sourcetype="csv" "Assignment group"="" | rename "Assignment group" as "Assignment_Group" | eval IDS=if(match("Assignment_Group","ABC"),"IDS","OTHER") | timechart span=1w count by IDS

If I count by Assignment_Group then I get full ABC1, ABC2, ABC3, etc assignment groups in results as well as OTHER.

My requirement is to have all ABC1, ABC2, ABC3 etc grouped results as one group 'IDS' against the results for all other groups 'OTHER' which do not MATCH ABC* but rather OTHER1, OTHER2.

Sorry if this is not clear.

0 Karma
Reply
Solved! Jump to solution

soniquella
Path Finder
‎09-13-2018 02:29 AM

Got it.
My fault.
Once renamed "Assignment group" to "Assignment_Group" , I needed to remove the "quotation marks". Now all sorted.

Thank you for your help.

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎09-13-2018 02:38 AM

@soniquella ,No worries. Glad that worked. I updated the answer to reflect the changes. You could upvote/answer 🙂

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

osakachan
Communicator
‎09-13-2018 12:48 AM

Hello Rob, that is because you are grouping by Assignment group. In the If condition you are adding the value IDS to a field called IDS, nothing more.

Have you tried to gorup by IDS in the timechart function?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...