Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search using a CSV file to display a list of lent materials by user based on status?

erichard
Explorer
‎03-04-2016 02:56 AM

Hello,

I have a list of assets like this:

date,material,username,status
01/12/15,"IPad #4654654",eric,lent
01/12/15,"Iphone #4547879",paul,lent
01/15/15,"IPad #4654654",eric,return
01/16/15,"Keyboard #454456",eric,lent
01/17/15,"Nexus 7 #414456",eric,lent

and I would like to extract the list of materials that are actually lent by user. In this case:

eric   Keyboard   #454456    01/16/15
       Nexus 7    #414456    01/17/15
paul   Iphone     #4547879   01/12/15

How I can do this?

Thanks in advance for your help.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎03-04-2016 07:30 AM

Try this:

| inputcsv mycsv.csv
| eval statusInteger = if(match(status,"lent"), 1, -1)
| eval date = strptime(date, "%m/%d/%y")
| stats sum(statusInteger) as status, max(date) as date by username, material
| where status != 0 
| fields - status
| fieldformat date=strftime(date, "%m/%d/%y")
| stats list(material) as material, list(date) as date by username

Output:

alt text

View solution in original post

Preview file
16 KB
0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎03-04-2016 07:30 AM

Try this:

| inputcsv mycsv.csv
| eval statusInteger = if(match(status,"lent"), 1, -1)
| eval date = strptime(date, "%m/%d/%y")
| stats sum(statusInteger) as status, max(date) as date by username, material
| where status != 0 
| fields - status
| fieldformat date=strftime(date, "%m/%d/%y")
| stats list(material) as material, list(date) as date by username

Output:

alt text

Preview file
16 KB
0 Karma
Reply
Solved! Jump to solution

erichard
Explorer
‎03-04-2016 07:44 AM

Thanks it's working !

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-04-2016 07:15 AM

Assuming you already have the fields extracted from your csv type data, try something like this

your base search status=lent | stats list(material) as material list(date) as date by username
0 Karma
Reply
Solved! Jump to solution

erichard
Explorer
‎03-04-2016 07:29 AM

Thanks for your answer, but it's not working as i need, with your answer i have :

eric IPad #4654654
Keyboard #454456
Nexus 7 #414456

The material IPad has beed returned (01/15/15,"IPad #4654654",eric,return) however it shouldn't appear.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...