Solved: Re: How to write a search that uses eval to show t...

soniquella · ‎09-13-2018

I am attempting to write a search which uses eval show the difference between two assignment groups. A number of assignment groups which all begin with ABC. I want to group all of these as 'IDS'.I then want to show the allocated tickets to IDS and stack against the OTHER assignment group (which does not start with ABC). I then want this to show as a timechart stacked week by week.
This is what I have:

index="myindex" sourcetype="csv" "Assignment group"="wildcard*" | eval IDS=if(like("Assignment group","ABC*"),"IDS","OTHER") |timechart span=1w count by "Assignment group".

Can anyone advise what I am doing wrong here? The timechart shows individual ABC-**** groups in the chart rather than grouped IDS results against OTHER.

Thanks in advance for any help.
Rob.

renjith_nair · ‎09-13-2018

@soniquella ,
If you want them to be grouped as IDs , then you should group by IDS, instead of "Assignment group"

Also use match instead of like and rename "Assignment group" to Assignment_group

For e.g.

index="myindex" sourcetype="csv" "Assignment group"="wildcard*" |rename "Assignment group" as Assignment_group
| eval IDS=if(match(Assignment_group,"ABC"),"IDS","OTHER") |timechart span=1w count by IDS

Happy Splunking!

View solution in original post

renjith_nair · ‎09-13-2018

@soniquella ,
If you want them to be grouped as IDs , then you should group by IDS, instead of "Assignment group"

Also use match instead of like and rename "Assignment group" to Assignment_group

For e.g.

index="myindex" sourcetype="csv" "Assignment group"="wildcard*" |rename "Assignment group" as Assignment_group
| eval IDS=if(match(Assignment_group,"ABC"),"IDS","OTHER") |timechart span=1w count by IDS

Happy Splunking!

soniquella · ‎09-13-2018

Thanks for your response.

In either case, I am only seeing 1 set of results. Ideally I would like to see all ABC groups as IDS against remaining OTHER:
index="myindex" sourcetype="csv" "Assignment group"="" | eval Assignment_Grp=if(match("Assignment group","ABC"),"IDS","OTHER") | timechart span=1w count by "Assignment_Grp"

I am ONLY seeing results for OTHER and not IDS? I think I am missing something here?

renjith_nair · ‎09-13-2018

@soniquella ,

Do you mind renaming "Assignment group" to Assignment_Group before the comparison and change it as

index="myindex" sourcetype="csv" "Assignment group"="" |rename "Assignment group" as Assignment_Group
| eval IDS=if(match(Assignment_Group,"ABC"),"IDS","OTHER") | timechart span=1w count by IDS

Happy Splunking!

soniquella · ‎09-13-2018

Thank you once more for your help.

Sadly this is still only showing results for OTHER and none for IDS.

index="myindex" sourcetype="csv" "Assignment group"="" | rename "Assignment group" as "Assignment_Group" | eval IDS=if(match("Assignment_Group","ABC"),"IDS","OTHER") | timechart span=1w count by IDS

If I count by Assignment_Group then I get full ABC1, ABC2, ABC3, etc assignment groups in results as well as OTHER.

My requirement is to have all ABC1, ABC2, ABC3 etc grouped results as one group 'IDS' against the results for all other groups 'OTHER' which do not MATCH ABC* but rather OTHER1, OTHER2.

Sorry if this is not clear.

soniquella · ‎09-13-2018

Got it.
My fault.
Once renamed "Assignment group" to "Assignment_Group" , I needed to remove the "quotation marks". Now all sorted.

Thank you for your help.

renjith_nair · ‎09-13-2018

@soniquella ,No worries. Glad that worked. I updated the answer to reflect the changes. You could upvote/answer 🙂

Happy Splunking!

osakachan · ‎09-13-2018

Hello Rob, that is because you are grouping by Assignment group. In the If condition you are adding the value IDS to a field called IDS, nothing more.

Have you tried to gorup by IDS in the timechart function?

How to write a search that uses eval to show the difference between two assignment groups?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms