Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Save value of a field of one event and compare it with all other found events

ckunath
Communicator
‎04-06-2017 02:07 AM

Hello,

I have a list of three events, each of them has the same ID in the field ID. One event containing a field that states PRINT=Y.
The other two events being ACTION=PRINT and ACTION=NO_PRINT.
I want to add a field that checks if the done action was correct by checking that if PRINT was Y, and the event states ACTION=PRINT its value becomes "ok".

The table should look like this:

Action -- Validation
1. PRINT -- ok
2. NO_PRINT -- error

How can I do this? If I want to eval a field, it only evaluates the value of the field with PRINT=Y in it, and I can't seem to use it for the other two events.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2017 03:08 AM

Hi ckunath,
you should try something like this:

your_search 
| transaction ID
| eval check=if(PRINT="Y" AND ACTION="PRINT","ok","error")
| table _time PRINT ACTION check

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2017 03:08 AM

Hi ckunath,
you should try something like this:

your_search 
| transaction ID
| eval check=if(PRINT="Y" AND ACTION="PRINT","ok","error")
| table _time PRINT ACTION check

Bye.
Giuseppe

Reply
Solved! Jump to solution

ckunath
Communicator
‎04-06-2017 04:00 AM

Hi giuseppe,

thanks a lot for your quick response!
It does work, but it groups all events into one table row and I need to have the events separated..

For the events

20170102 ID=100 ACTION=PRINT
20170102 ID=100 ACTION=NO_PRINT
20170101 ID=100 PRINT=Y

I need a table like this

2017-01-02 -- PRINT -- ok
2017-01-02 -- NO_PRINT -- error
2017-01-02 --  --

Do you know a way to do that? I appreciate your help!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2017 04:13 AM

Hi Hi ckunath,,
last year I did the same question, see the answer https://answers.splunk.com/answers/341972/how-do-i-separate-the-results-of-a-transaction-to.html.
Bye.
Giuseppe

Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...