@oneemailall wrote: I am still trying to figure out why your solution works. Hi @oneemailall .. Please note that, on my reply i said that you will need to fine-tune this further. and ni...
See more...
@oneemailall wrote: I am still trying to figure out why your solution works. Hi @oneemailall .. Please note that, on my reply i said that you will need to fine-tune this further. and nice to know the other reply works perfectly as you are expecting. As you were saying, you are trying to figure out why that solution works, let me try to explain,.. | eval type = split(Badge, "_")
``` Splitting the "Badge" field by the underscore, you get the "type" of the badge```
| eval level = mvfind(mvappend("Novice", "Capable", "Expert"), mvindex(type, -1)) + 1
``` the mvappend, mvindex are multivalue commands, understanding them takes a looonger time. pls check the docs https://docs.splunk.com/Documentation/SCS/current/SearchReference/MultivalueEvalFunctions ```
| fillnull level
| eval type = mvindex(type, -2)
| eval expire_ts = strptime(ExpireDate, "%m/%d/%y")
``` to sort the ExpireDate, first you need to convert to epoch timeformat```
| sort - level, expire_ts, + "Last name" "First name"
| dedup Domain, "First name", "Last name", Email, type
```sorting and dedup done nicely, you can table the output by below command```
| table Domain, "First name", "Last name", Email, Badge, ExpireDate