Splunk Search

Using values of a field, compare them in another field and pulling relevant data into one

shiv1593
Communicator

Hi All,

I have a field named Issues Reported, whose values go something like this.

alt text

Question 1. Can I use these values and create a exact duplicate field called "Temp" with the exact same values as Issues Reported, then use Temp and Issues Reported values and create something like this:
Where Issues headlines represent an overview of the issue, extracted from "Temp" and Issue Reported contains the values extracted from "Issues Reported"

alt text

Any help will be appreciated.

Thanks,

Tags (1)
0 Karma
1 Solution

mdsnmss
SplunkTrust
SplunkTrust

Here is one way you might be able to do it:

| makeresults 
| eval Issues="Windows account is locked, AD/Windows locked issues, SAP Account is locked. User Australia, My Windows account is locked., Unable to login to SAP, My Oracle account is locked, Reset my windows account password" 
| fields - _time 
| makemv delim="," Issues 
| mvexpand Issues 
| eval Issues_h=case(like(upper(Issues),upper("%Windows%")), "Windows Account Issue", like(upper(Issues),upper("%SAP%")), "SAP Related Issues", like(upper(Issues),upper("%Oracle%")), "Oracle Related Issues")
| stats list(Issues) as "Issues Reported" by Issues_h
| rename Issues_h as "Issue Headlines"

What you would need is everything from "| mvexpand Issues" on, adjusting for fieldnames, The key component here is the "eval Issues_h" part. What that does is assign an Issue Headline to each issue reported. What it does is case insensitive match on keywords like Windows, SAP, and Oracle. You can add additional headline labels and keyword matching as needed. Another way to do this is using match in the eval instead of like and using regex to find specific patterns in the text. Does this help? Let me know if you have any questions!

View solution in original post

mdsnmss
SplunkTrust
SplunkTrust

Here is one way you might be able to do it:

| makeresults 
| eval Issues="Windows account is locked, AD/Windows locked issues, SAP Account is locked. User Australia, My Windows account is locked., Unable to login to SAP, My Oracle account is locked, Reset my windows account password" 
| fields - _time 
| makemv delim="," Issues 
| mvexpand Issues 
| eval Issues_h=case(like(upper(Issues),upper("%Windows%")), "Windows Account Issue", like(upper(Issues),upper("%SAP%")), "SAP Related Issues", like(upper(Issues),upper("%Oracle%")), "Oracle Related Issues")
| stats list(Issues) as "Issues Reported" by Issues_h
| rename Issues_h as "Issue Headlines"

What you would need is everything from "| mvexpand Issues" on, adjusting for fieldnames, The key component here is the "eval Issues_h" part. What that does is assign an Issue Headline to each issue reported. What it does is case insensitive match on keywords like Windows, SAP, and Oracle. You can add additional headline labels and keyword matching as needed. Another way to do this is using match in the eval instead of like and using regex to find specific patterns in the text. Does this help? Let me know if you have any questions!

shiv1593
Communicator

Hello,

It's perfect. I just used eval Issues=upper(Issues) command to turn the field values in Upper case. Thank you.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...