Required Output :
• Matrix: Total Findings by Assessment
Group by Engage, Title
Fields
- Engage
- Title
- Total Count of Rating of H , M, and L (3 fields) should be in different columns
- Assigned Count of Rating of H , M, and L – where Assignee is not empty (3 fields) should be in different columns
- Assigned Count of Rating of H , M, and L – where Assignee is not empty (3 fields) should be in different columns
- Count of Info or Remediated, of Rating of H , M, and L – where Find_Closed = Yes (3 fields) should be in different columns
- Count of To Be Remediated, of DTCC_Rating of H, M, and L – where Find_Closed = No (3 fields) should be in different columns
- Count of OOM – records where Status = OOM Now
Rating field has (H,M,L) values.
These calculations or fields have to be in one matrix table.
Please let me know how this can be done .
| makeresults
| eval _raw="
Status Engage Title Rating
Report DE1234 Windows H
OOM NRT34 Linux M
Not Report PL239 Linux L"
| multikv forceheader=1
| table Status Engage Title Rating
| append
[| makeresults count=300
| eval Status=mvindex(split("Report#OOM#Not Report","#"),random() % 3)
| eval Title=mvindex(split("Windows#Linux","#"),random() % 2)
| eval Rating=mvindex(split("H#M#L","#"),random() % 3)
| eval Engage=mvindex(split("DE1234#NRT34#PL239","#"),random() % 3)
| table Status Engage Title Rating]
| rename COMMENT as "This is sample data"
| rename COMMENT as "From here, the logic is"
| stats count by Status Engage Title Rating
| stats list(Rating) as Rating list(count) as count by Engage Title Status
Hi, @dtccsundar
I didn't know the quantity and type of data, so it looked like this.
If you specify the output table, I can fix it.
| makeresults
| eval _raw="Engage,Title,Status,Rating,Assigned_count_1_H,Assigned_count_1_M,Assigned_count_1_L,Assigned_count_2_H,Assigned_count_2_M,Assigned_count_2_L
DE1234,Windows,Report,2,5,7,5,1,9,3
ky342,Linux,Not Report,6,7,,5,,4,
Total,,,8,12,7,10,1,13,3"
| multikv forceheader=1
| table Engage,Title,Status,Rating,Assigned_count_1_H,Assigned_count_1_M,Assigned_count_1_L,Assigned_count_2_H,Assigned_count_2_M,Assigned_count_2_L
I see what you want. but there is not sample log.
Please check your POST.
[1]: http://C:\Users\acer\Desktop
This is your comment's link.
I have a question in this
"Assigned_count_1_H,Assigned_count_1_M,Assigned_count_1_L,Assigned_count_2_H,Assigned_count_2_M,Assigned_count_2_L"
How this will work, i am getting error and thats bcaz we dont have these fields as such.
Can you pls help in this
the query above is sample your provided result.
I can't make a query, because you don't show sample logs
Thank you for the search you provided to4kawa.
Actually i am seeing data for the data which i provided above.But i have around 200 other values like this .Can you please help me with a dynamic search which i can apply here .
Further there is a total row at the bottom which will give total for all Rating values (H,M,L)
Example Output format of matrix :
Engage Title Status Rating Assigned_Count_of_Rating Assigned_Count_of_Rating(2)
H L M H L M H L M
DE1234 Windows Report 2 10 5 2 5 6 8 3
NRT34 Linux OOM 5 2 10 5 2 0 1 2 1
Total 7 12 15 7 7 6 1 10 4
Can you please add the below manipulated fields(as above ex format) too in this matrix as i mentioned above my initial question.
Total Count of Rating of H , M, and L (3 fields) should be in different columns
- Assigned Count of Rating of H , M, and L – where Assignee is not empty (3 fields) should be in different columns
- Assigned Count of Rating of H , M, and L – where Assignee is not empty (3 fields) should be in different columns
- Count of Info or Remediated, of Rating of H , M, and L – where Find_Closed = Yes (3 fields) should be in different columns
- Count of To Be Remediated, of DTCC_Rating of H, M, and L – where Find_Closed = No (3 fields) should be in different columns
- Count of OOM – records where Status = OOM Now
sorry, i can't understand your matrix.
Engage Title Status Rating Assigned_Count_of_Rating Assigned_Count_of_Rating(2)
There are six fields here.
DE1234 Windows Report 2 10 5 2 5 6 8 3
There are eleven fields.
Is it a matrix? Rating values (H,M,L) ?There is no sample log.
sorry ,I have been out for a while for holidays , so the delay .
I have attached the sample for the matrix and placed the sample too
Engage Title Status Rating Assigned count 1 Assigned count 2
H M L H M L
DE1234 Windows Report 2 5 7 5 1 9 3
ky342 Linux Not Report 6 7 5 4
Total 8 12 7 10 1 13 3
It's probably possible, but typically when asking a question here we need a raw log/event to work with. The structure of the query can change dramatically depending on how the logs are formatted, does that make sense?
HI aberkov,
Thank you for your reply and you are right and that make sense.
It is basically a sql view from which we are creating a sourcetype in splunk .The structure will be like ,
Status Engage Title Rating
Report DE1234 Windows H
OOM NRT34 Linux M
Not Report PL239 Linux L
PLease let me know the search query for this matrix.