- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- What is the best way to go about using multiple ev...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to sort smartsheets by certain combinations of row/column values. If I remove one of the 'foreach' blocks, the search works, outputting a new field. With both, however, the search returns 0 results. I'm wondering if there's a better way to do this.
Also, the reason I can't just eval them separately is that one of the fields (a column) "Final" appears both in "Project scheduling" row events and "Project closed" row events
index=main sourcetype=smartsheet
| rename metadata.smartsheet_name as sheetname
| dedup metadata.id
| foreach sheetname
[ search "Task Name"="Project scheduling"
| eval nowtime=strftime(now(), "%Y-%m-%d")
| eval nowtime=strptime(nowtime, "%Y-%m-%d")
| eval scheduledtime=strptime(Finish,"%Y-%m-%d")
| eval scheduledOk=if(scheduledtime<=nowtime, "true", "false")]
| foreach sheetname
[ search "Task Name"="Project closed"
| eval nowtime=strftime(now(), "%Y-%m-%d")
| eval nowtime=strptime(nowtime, "%Y-%m-%d")
| eval finishtime=strptime(Finish,"%Y-%m-%d")
| eval finishedOk=if(finishtime>nowtime, "true", "false")]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jackstephenson96,
Assuming that the Status condition on the task depends on the Task Name and rest of the fields are same for both, give this a try and see if its matching with your requirement
index=main sourcetype=smartsheet
| rename metadata.smartsheet_name as sheetname
| dedup metadata.id
| eval nowtime=strftime(now(), "%Y-%m-%d")
| eval nowtime=strptime(nowtime, "%Y-%m-%d")
| eval Status=case("Task Name"=="Project scheduling" ,if(strptime(Finish,"%Y-%m-%d")<=nowtime,"true","false")
,"Task Name"=="Project closed" ,if(strptime(Finish,"%Y-%m-%d")>nowtime,"true","false"))
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jackstephenson96,
Assuming that the Status condition on the task depends on the Task Name and rest of the fields are same for both, give this a try and see if its matching with your requirement
index=main sourcetype=smartsheet
| rename metadata.smartsheet_name as sheetname
| dedup metadata.id
| eval nowtime=strftime(now(), "%Y-%m-%d")
| eval nowtime=strptime(nowtime, "%Y-%m-%d")
| eval Status=case("Task Name"=="Project scheduling" ,if(strptime(Finish,"%Y-%m-%d")<=nowtime,"true","false")
,"Task Name"=="Project closed" ,if(strptime(Finish,"%Y-%m-%d")>nowtime,"true","false"))
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Renjith, you are a genius. Thank you
New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...
Alerting Best Practices: How to Create Good Detectors
Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...
