Hello Splunkers!!
As per my below query I am not getting group & error_description fields from the query. Please advise what need to be modify in the last line of the query to get the results of ...
See more...
Hello Splunkers!!
As per my below query I am not getting group & error_description fields from the query. Please advise what need to be modify in the last line of the query to get the results of those fields.
index=2313917_2797418_scada
| xpath outfield=ErrorType "//ErrorType"
| search ErrorType IN("OPERATIONAL", "TECHNICAL")
|xpath outfield=AreaID "//AreaID"
| xpath outfield=ZoneID "//ZoneID"
| xpath outfield=EquipmentID "//EquipmentID"
| xpath outfield=MIS_Address "//MIS_Address"
| xpath outfield=State "//State"
| xpath outfield=ElementID "//ElementID"
| rex field=_raw "eqtext\:Description\>(?P<description>.+)\<\/eqtext\:Description"
|rename EquipmentID as equipment ZoneID as zone AreaID as area ElementID as element State as error_status MIS_Address as error
| eval isc_id=area.".".zone.".".equipment
| search isc_id="*" area="*" zone="*" equipment="*"
| eval start_time=exact(coalesce(start_time,'_time')), _virtual_=if(isnull(virtual),"N","Y"), _cd_=replace('_cd',".*:","")
| fields + _time, isc_id, area, zone, equipment, element, error, start_time error_status
| sort 0 -_time _virtual_ -"_indextime" -_cd_
| dedup isc_id
| fields - _virtual_, _cd_
| eval _time=start_time
| lookup isc.csv id AS isc_id output statistical_subject mark_code
| lookup detail_status.csv component_type_id AS statistical_subject output alarm_severity description operational_rate technical_rate
| search alarm_severity="*" mark_code="*"
| fillnull value=0 technical_rate operational_rate
| eval start_time=exact(coalesce(start_time,'_time')), description=coalesce(description,("Unknown text for error number " . error)), error_description=((error . "-") . description), group=((isc_id . error) . start_time)