index=*sap sourcetype=FSC* | fields _time index Eventts ID FIELD_02 FIELD_01 CODE ID FIELD* source | rex field=index "^(?<prefix>\d+_\d+)" | lookup lookup_site_ids.csv prefix as prefix output name...
See more...
index=*sap sourcetype=FSC* | fields _time index Eventts ID FIELD_02 FIELD_01 CODE ID FIELD* source | rex field=index "^(?<prefix>\d+_\d+)" | lookup lookup_site_ids.csv prefix as prefix output name as Site | eval name2=substr(Site,8,4) | rex field=Eventts "(?<Date>\d{4}-\d{2}-\d{2})T(?<Time>\d{2}:\d{2}:\d{2}\.\d{3})" | fields - Eventts | eval timestamp = Date . " " . Time | eval _time = strptime(timestamp, "%Y-%m-%d %H:%M:%S.%3N") | eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S.%3N"), Condition="test" | eval Stamp = strftime(_time, "%Y-%m-%d %H:%M:%S.%3N") | lookup Stoppage.csv name as Site OUTPUT Condition Time as Stamp | search Condition="Stoppage" | where Stamp = Time | eval index_time = strptime(Time, "%Y-%m-%d %H:%M:%S.%3N") | eval lookup_time = strftime(Stamp, "%Y-%m-%d %H:%M:%S.%3N") | eval CODE=if(isnull(CODE),"N/A",CODE), FIELD_01=if(isnull(FIELD_01),"N/A",FIELD_01), FIELD_02=if(isnull(FIELD_02),"N/A",FIELD_02) | lookup code_translator.csv FIELD_01 as FIELD_01 output nonzero_bits as nonzero_bits | eval nonzero_bits=if(FIELD_02="ST" AND FIELD_01="DA",nonzero_bits,"N/A") | mvexpand nonzero_bits | lookup Decomposition_File.csv Site as name2 Alarm_bit_index as nonzero_bits "Componenty_type_and_CODE" as CODE "Component_number" as ID output "Symbolic_name" as Symbolic_name Alarm_type as Alarm_type Brief_alarm_description as Brief_alarm_description Alarm_solution | eval Symbolic_name=if(FIELD_01="DA",Symbolic_name,"N/A") , Brief_alarm_description=if(FIELD_01="DA",Brief_alarm_description,"N/A") , Alarm_type=if(FIELD_01="DA",Alarm_type,"N/A") , Alarm_solution=if(FIELD_01="DA",Alarm_solution,"N/A") | fillnull value="N/A" Symbolic_name Brief_alarm_description Alarm_type | table Site Symbolic_name Brief_alarm_description Alarm_type Alarm_solution Condition Value index_time Time _time Stamp lookup_time