Splunk Search

How to write a search that uses eval to show the difference between two assignment groups?

soniquella
Path Finder

I am attempting to write a search which uses eval show the difference between two assignment groups. A number of assignment groups which all begin with ABC. I want to group all of these as 'IDS'.I then want to show the allocated tickets to IDS and stack against the OTHER assignment group (which does not start with ABC). I then want this to show as a timechart stacked week by week.
This is what I have:

index="myindex" sourcetype="csv" "Assignment group"="wildcard*" | eval IDS=if(like("Assignment group","ABC*"),"IDS","OTHER") |timechart span=1w count by "Assignment group".

Can anyone advise what I am doing wrong here? The timechart shows individual ABC-**** groups in the chart rather than grouped IDS results against OTHER.

Thanks in advance for any help.
Rob.

Tags (2)
0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@soniquella ,
If you want them to be grouped as IDs , then you should group by IDS, instead of "Assignment group"

Also use match instead of like and rename "Assignment group" to Assignment_group

For e.g.

index="myindex" sourcetype="csv" "Assignment group"="wildcard*" |rename "Assignment group" as Assignment_group
| eval IDS=if(match(Assignment_group,"ABC"),"IDS","OTHER") |timechart span=1w count by IDS

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@soniquella ,
If you want them to be grouped as IDs , then you should group by IDS, instead of "Assignment group"

Also use match instead of like and rename "Assignment group" to Assignment_group

For e.g.

index="myindex" sourcetype="csv" "Assignment group"="wildcard*" |rename "Assignment group" as Assignment_group
| eval IDS=if(match(Assignment_group,"ABC"),"IDS","OTHER") |timechart span=1w count by IDS

View solution in original post

0 Karma

soniquella
Path Finder

Thanks for your response.

In either case, I am only seeing 1 set of results. Ideally I would like to see all ABC groups as IDS against remaining OTHER:
index="myindex" sourcetype="csv" "Assignment group"="" | eval Assignment_Grp=if(match("Assignment group","ABC"),"IDS","OTHER") | timechart span=1w count by "Assignment_Grp"

I am ONLY seeing results for OTHER and not IDS? I think I am missing something here?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@soniquella ,

Do you mind renaming "Assignment group" to Assignment_Group before the comparison and change it as

index="myindex" sourcetype="csv" "Assignment group"="" |rename "Assignment group" as Assignment_Group
| eval IDS=if(match(Assignment_Group,"ABC"),"IDS","OTHER") | timechart span=1w count by IDS
0 Karma

soniquella
Path Finder

Thank you once more for your help.

Sadly this is still only showing results for OTHER and none for IDS.

index="myindex" sourcetype="csv" "Assignment group"="" | rename "Assignment group" as "Assignment_Group" | eval IDS=if(match("Assignment_Group","ABC"),"IDS","OTHER") | timechart span=1w count by IDS

If I count by Assignment_Group then I get full ABC1, ABC2, ABC3, etc assignment groups in results as well as OTHER.

My requirement is to have all ABC1, ABC2, ABC3 etc grouped results as one group 'IDS' against the results for all other groups 'OTHER' which do not MATCH ABC* but rather OTHER1, OTHER2.

Sorry if this is not clear.

0 Karma

soniquella
Path Finder

Got it.
My fault.
Once renamed "Assignment group" to "Assignment_Group" , I needed to remove the "quotation marks". Now all sorted.

Thank you for your help.

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@soniquella ,No worries. Glad that worked. I updated the answer to reflect the changes. You could upvote/answer 🙂

0 Karma

osakachan
Communicator

Hello Rob, that is because you are grouping by Assignment group. In the If condition you are adding the value IDS to a field called IDS, nothing more.

Have you tried to gorup by IDS in the timechart function?

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.