How do you retrieve particular data from one field...

ramesh12345 · ‎02-14-2019

Hi,

i have a CSV file that contains a few persons names and teamname(column names is "name" and "Team"). The team name is the same for all in the CSV file. Now, I want to display the name of the person who is raised from the CSV file.

Ex: CSV file contains

name Team
raju Testing
ramesh Testing
rakesh Testing

if my assigned_to have
Richard
Robart
ramesh
raju

i want to display the last person who is changed from the assigned_to. Here is i want "ramesh" should display.Please help how to do this?

index="one" sourcetype="generated"  Number=* status=*  group=* |dedup _time,Number,group |streamstats current=f last(group) as Group, last(visible) as  Visible last(assigned_to) as Assigned_to by Number|lookup test.csv name as assigned_to OUTPUT Team| eval raised= if(group!=Group AND group="Testing Team",1,NULL) | stats count(raised) AS "Raised Cases" by assigned_to,Team| fields - Team

markusspitzli · ‎02-27-2019

Hi

Why dont you filter the events with the CSV with the inputlookup command? In this way you only get the events where assigned_to contains only those people of your list.

index="one" sourcetype="generated"  Number=* status=*  group=* [ | inputlookup test.csv | field name | rename name as assigned_to ]

Would that help?

How do you retrieve particular data from one field?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life