Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using values of a field, compare them in another field and pulling relevant data into one

shiv1593
Communicator
‎02-04-2018 04:24 AM

Hi All,

I have a field named Issues Reported, whose values go something like this.

alt text

Question 1. Can I use these values and create a exact duplicate field called "Temp" with the exact same values as Issues Reported, then use Temp and Issues Reported values and create something like this:
Where Issues headlines represent an overview of the issue, extracted from "Temp" and Issue Reported contains the values extracted from "Issues Reported"

alt text

Any help will be appreciated.

Thanks,

Tags (1)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎02-05-2018 09:53 AM

Here is one way you might be able to do it:

| makeresults 
| eval Issues="Windows account is locked, AD/Windows locked issues, SAP Account is locked. User Australia, My Windows account is locked., Unable to login to SAP, My Oracle account is locked, Reset my windows account password" 
| fields - _time 
| makemv delim="," Issues 
| mvexpand Issues 
| eval Issues_h=case(like(upper(Issues),upper("%Windows%")), "Windows Account Issue", like(upper(Issues),upper("%SAP%")), "SAP Related Issues", like(upper(Issues),upper("%Oracle%")), "Oracle Related Issues")
| stats list(Issues) as "Issues Reported" by Issues_h
| rename Issues_h as "Issue Headlines"

What you would need is everything from "| mvexpand Issues" on, adjusting for fieldnames, The key component here is the "eval Issues_h" part. What that does is assign an Issue Headline to each issue reported. What it does is case insensitive match on keywords like Windows, SAP, and Oracle. You can add additional headline labels and keyword matching as needed. Another way to do this is using match in the eval instead of like and using regex to find specific patterns in the text. Does this help? Let me know if you have any questions!

View solution in original post

Reply
Solved! Jump to solution
Solution

mdsnmss
SplunkTrust
SplunkTrust
‎02-05-2018 09:53 AM

Here is one way you might be able to do it:

| makeresults 
| eval Issues="Windows account is locked, AD/Windows locked issues, SAP Account is locked. User Australia, My Windows account is locked., Unable to login to SAP, My Oracle account is locked, Reset my windows account password" 
| fields - _time 
| makemv delim="," Issues 
| mvexpand Issues 
| eval Issues_h=case(like(upper(Issues),upper("%Windows%")), "Windows Account Issue", like(upper(Issues),upper("%SAP%")), "SAP Related Issues", like(upper(Issues),upper("%Oracle%")), "Oracle Related Issues")
| stats list(Issues) as "Issues Reported" by Issues_h
| rename Issues_h as "Issue Headlines"

What you would need is everything from "| mvexpand Issues" on, adjusting for fieldnames, The key component here is the "eval Issues_h" part. What that does is assign an Issue Headline to each issue reported. What it does is case insensitive match on keywords like Windows, SAP, and Oracle. You can add additional headline labels and keyword matching as needed. Another way to do this is using match in the eval instead of like and using regex to find specific patterns in the text. Does this help? Let me know if you have any questions!

Reply
Solved! Jump to solution

shiv1593
Communicator
‎02-06-2018 07:55 AM

Hello,

It's perfect. I just used eval Issues=upper(Issues) command to turn the field values in Upper case. Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...