- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Merge fields and magic happens
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Merge fields and magic happens
Looking for a simple approach to combine two fields into one.
Ref: ES / Audit / Incident Review Audit
There is no report/dashboard panel that has a breakdown of Open, Closed, Pending, or Resolved by Severity level. Unfortunately, I need to show how many events are OPEN and how many are CLOSED by Severity levels CRITICAL and HIGH.
Using a basic search string I can easily pull the data but forcing it to break down into a graph using the above criteria is giving me no end of trouble.
Basic search:
notable | search severity="high" OR severity="critical" NOT suppression | stats count by status_label | rename status_label as Status, severity as Severity, count as "# Events" | sort 10 - count
I want to combine Open and Pending into a single, combined field value labeled as "Open", and combine Closed and Resolved into a single field value labeled as "Closed". I then need to reflect how many Open and Closed events there are by severity levels CRITICAL and HIGH.
I would like to put it in a Column graph, with a time range of monthly since the beginning of the year.
Thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The top answer in this thread worked for me.
http://answers.splunk.com/answers/49394/merge-two-fields-into-one-field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
notable | search severity="high" OR severity="critical" NOT suppression | eval status_label=case(status_label="Open" OR status_label="Pending","Open",status_label="Closed" OR status_label="Resolved","Closed",1=1,"NA") | stats count by status_label,severity | rename status_label as Status, severity as Severity, count as "# Events" | sort 10 - count
Form month wise chart.
notable | search severity="high" OR severity="critical" NOT suppression | eval status_label=case(status_label="Open" OR status_label="Pending","Open",status_label="Closed" OR status_label="Resolved","Closed",1=1,"NA") | eval severity_status=severity.":".status_label| timechart span=1mon count by severity_status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It may be because of the "sort 10 -count" command, when its just sort in descending order by count and selects top 10 rows. What is the exact requirement here? Also, Please validate the string values within double quotes for exact value and case. Except in base search, everywhere case matters (suspecting it because of "N/A" is returned)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, it is only showing a single set of columns (High). (HIGH:N/A). No break downs by severity or status.
I removed the severity criteria (severity="high" OR severity="critical") so that it could look at all severity levels. Wanted to shorten the window (speed up the search) so needed to ensure there were events that the query could return. Same results either way.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
