Hello,
I have a list of three events, each of them has the same ID in the field ID. One event containing a field that states PRINT=Y.
The other two events being ACTION=PRINT and ACTION=NO_PRINT.
I want to add a field that checks if the done action was correct by checking that if PRINT was Y, and the event states ACTION=PRINT its value becomes "ok".
The table should look like this:
Action -- Validation
1. PRINT -- ok
2. NO_PRINT -- error
How can I do this? If I want to eval a field, it only evaluates the value of the field with PRINT=Y in it, and I can't seem to use it for the other two events.
Hi ckunath,
you should try something like this:
your_search
| transaction ID
| eval check=if(PRINT="Y" AND ACTION="PRINT","ok","error")
| table _time PRINT ACTION check
Bye.
Giuseppe
Hi ckunath,
you should try something like this:
your_search
| transaction ID
| eval check=if(PRINT="Y" AND ACTION="PRINT","ok","error")
| table _time PRINT ACTION check
Bye.
Giuseppe
Hi giuseppe,
thanks a lot for your quick response!
It does work, but it groups all events into one table row and I need to have the events separated..
For the events
20170102 ID=100 ACTION=PRINT
20170102 ID=100 ACTION=NO_PRINT
20170101 ID=100 PRINT=Y
I need a table like this
2017-01-02 -- PRINT -- ok
2017-01-02 -- NO_PRINT -- error
2017-01-02 -- --
Do you know a way to do that? I appreciate your help!
Hi Hi ckunath,,
last year I did the same question, see the answer https://answers.splunk.com/answers/341972/how-do-i-separate-the-results-of-a-transaction-to.html.
Bye.
Giuseppe