How to create a table with a static column A and d...

priyenshah6 · ‎01-14-2015

I want to create a table as:

Column A, Column B
LoginFailure, YES
LoginSuccess, NO
Account Lockout, YES

Basically YES/NO values are determined depending on if that event occurred.

My challenge is if LoginSuccess event never occurred, it does not get displayed in my report. So I need a report with static number of rows (which will be predefined list of events I want to monitor) and values as Yes/No depending if that event occurred for a given timeframe.

ppablo · ‎01-20-2015

Hi @priyenshah6

Just following up with this question, but did @somesoni2's answer below help solve your question?

somesoni2 · ‎01-15-2015

Try something like this

your search producing columnA and ColumnB | append [| gentimes start=-1 | eval columnA="LoginFailure,LoginSuccess,Account Lockout" | table columnA | makemv delim="," columnA | mvexpand columnA] | stats values(columnB) as columnB by columnA | fillnull value="NO" columnB

priyenshah6 · ‎01-20-2015

Thanks @somesoni2 for your response. I used Lookup approach to resolve the issue. Figured it was easy to manage Lookup file. Here is how I did it:

| inputlookups Events.csv | eval count=0 | append [search xyz [inputlookup Events.csv] | stats count by name] | stats sum(count) as total by name | eval status=if(total>0,"Yes","No")

here my Lookup file has list of all event names that I want to monitor and need status as Yes/No depending if they occurred in given time frame.

How to create a table with a static column A and dynamic column B based on search values?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms