Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In three related events, how do you avoid the one without a field value?

mrovirab
Explorer
‎04-20-2022 07:45 AM

Hello,

I have a tricky question.

I'm trying to count tickets by providers we have. I am using the parent and subtasks to check to which team we are sending a subtask + using the service to know the provider.

I'm stuck in cases like these ones.

3 events which are

- the parent task .1 with no to_team and no provider

- subtask 1 with one to_team

- subtask num 2 with a provider (different to the team above)

Now I have the three of them counted as Provider1 (subtask num1), Provider2 (subtask number 2) and Other (parent task). However, what I need is to avoid counting the parent task if there's a subtask with the needed information.

 

There are some parent task with no information that have to be in "Other" section because they need to be counted, but just when there's no subtask attached.

Is it possible?

I have tried subsearches but I cannot achieve one that works.

 

Thank you in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-21-2022 08:40 AM

Not sure if works for you since it count Product rather than Provider

| stats values(Product) as Product by ticket_number
| eval _Products=mvfilter(Product!="Other")
| eval Product=coalesce(_Products,Product)
| stats count by Product

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2022 08:45 AM

Can you provide more detailed examples of the events you are dealing with and how they inter-relate?

0 Karma
Reply
Solved! Jump to solution

mrovirab
Explorer
‎04-20-2022 09:12 AM

The number of events inter related is something I cannot say because it depends on if one ticket has been delegated or not.

Selected Fields



Interesting Fields

  • index 24
  • Product 19
  • Service 100+
  • created_at 100+
  • from_team_name 12
  • from_team_type 3
  • Provider 38
  • redirection_type 4
  • sub_task 100+
  • task_number 100+
  • ticket_number 100+
  • urgency 5

This are the fields I'm using to find out how many tickets we have handled for each Product looking at Provider .

I remove duplicates with | dedup ticket_number,Product because one ticket can have more than one product related. In the example above I'm counting three events with the same ticket number but with three different products one being "Other", which can make sense. The issue is that one of those events is the parent task that appears in Other because in that event the Provider field is empty. In those situations I would like to skip the parent task as it's not true there's no identified product, its subtask has one, but it' not populated in the event for the parent task.

 

What I was thinking at the beginning is to use one of the subtask value Provider and bring that to the parent task event. Then, when executing the dedup it wouldn't be counted because two events will have the same Product and Provider. However, I don't know how to actually build a subsearch for that.

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2022 09:18 AM

How do you know which subtask event is related to which parent task event?

Can you provide some sample events (anonymised appropriately)?

0 Karma
Reply
Solved! Jump to solution

mrovirab
Explorer
‎04-20-2022 09:32 AM

Hi,

These are the values for the example, anonymised enough but with useful values.

ticket_numbertask_numberparent_tasksub_taskProductProvider
tic3624tic3624.1.2tic3624.1tic3624.1.2Aa
tic3624tic3624.1.1tic3624.1tic3624.1.1B b
tic3624tic3624.1tic3624.1 Other 

 

All three events have the same ticket_number and same parent_task. And this will happen with other cases like this one.

It gives the count of 1 ticket for Product A, one ticket for Product B and one ticket for Other, but this last part not being completely true. If we look at the event is correct, because there's no Provider, but it was something we delegated.

Filtering out all the events without sub_task will not work because some of the task are not delegated that need to be counted.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-20-2022 09:47 AM

Does this work for you?

| stats values(Provider) as Provider by ticket_number
| stats count by Provider
0 Karma
Reply
Solved! Jump to solution

mrovirab
Explorer
‎04-21-2022 03:36 AM

Hello,

I tried and in this particular case it works, but not for all the cases.

I have discovered that some of them are missing the Provider field but they should be counted, hence I need to use another field that indicates to which team we have send the case.

Then the issue is when the Product is other for a parent task that has subtask with a Provider or a destination team.

 

This is getting too much complicated maybe 😞

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-21-2022 03:39 AM

Can you provide an anonymised example of this case too please?

0 Karma
Reply
Solved! Jump to solution

mrovirab
Explorer
‎04-21-2022 08:13 AM

Hi,

I hope this fits the request, not sure if I'm adding too short info.

These are the values for the example, anonymised enough but with useful values.

row #ticket_numbertask_numberparent_tasksub_taskProductProviderto_team
1tic3624tic3624.1.2tic3624.1tic3624.1.2Aabcn
2tic3624tic3624.1.1tic3624.1tic3624.1.1B b 
3tic3624tic3624.1tic3624.1 Other  
4tic3625tic3625.1tic3625.1 Aa 
5tic3626tic3626.1tic3626.1 Other  
6tic3626tic3626.1tic3626.1tic3626.1.1A bcn
7tic3627tic3627.1tic3627.1 Other  

 

I have a long eval checking both Provider and to_team fields, always giving priority to the provider, but checking the team in case there's a subtask delegated. Then, in the example above, if only the Other (rows 3 & 5) should not be counted but because there are subtask. At the end, the Other is there in case there are tickets that can not be identified (i.e. last row)

Thanks

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-21-2022 08:40 AM

Not sure if works for you since it count Product rather than Provider

| stats values(Product) as Product by ticket_number
| eval _Products=mvfilter(Product!="Other")
| eval Product=coalesce(_Products,Product)
| stats count by Product
0 Karma
Reply
Solved! Jump to solution

mrovirab
Explorer
‎04-21-2022 10:00 AM

I have checked some examples and it seems to work! 🙂

In addition, the other count has decreased from 530 to 379 and it fits for me to still have a big number, but the decrease thinking of all the duplicated events between parent tasks and sub tasks.

Can you please explain me a little bit what those functions do? To learn more.

Thank you!

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-21-2022 10:14 AM 
``` Gather all the unique values of Product into a multi-value field called Product ```
| stats values(Product) as Product by ticket_number
``` Create a copy of the multi-value field without the "Other" product value ```
| eval _Products=mvfilter(Product!="Other")
``` Overwrite Product with the filtered version if it is not null ```
``` _Products will be null if the only Product for the ticket is Other ```
| eval Product=coalesce(_Products,Product)
``` Count the occurrences of each Product (including Other) ```
| stats count by Product
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...