Splunk Search

Can anyone please tell me how to make a matrix for the below

dtccsundar
Path Finder

Required Output :
• Matrix: Total Findings by Assessment
Group by Engage, Title
Fields
- Engage
- Title
- Total Count of Rating of H , M, and L (3 fields) should be in different columns
- Assigned Count of Rating of H , M, and L – where Assignee is not empty (3 fields) should be in different columns
- Assigned Count of Rating of H , M, and L – where Assignee is not empty (3 fields) should be in different columns
- Count of Info or Remediated, of Rating of H , M, and L – where Find_Closed = Yes (3 fields) should be in different columns
- Count of To Be Remediated, of DTCC_Rating of H, M, and L – where Find_Closed = No (3 fields) should be in different columns
- Count of OOM – records where Status = OOM Now

Rating field has (H,M,L) values.

These calculations or fields have to be in one matrix table.
Please let me know how this can be done .

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw="
Status     Engage Title   Rating
Report     DE1234 Windows H
OOM        NRT34  Linux   M
Not Report PL239  Linux   L"
| multikv forceheader=1
| table Status     Engage Title   Rating
| append 
    [| makeresults count=300
    | eval Status=mvindex(split("Report#OOM#Not Report","#"),random() % 3)
    | eval Title=mvindex(split("Windows#Linux","#"),random() % 2)
    | eval Rating=mvindex(split("H#M#L","#"),random() % 3)
    | eval Engage=mvindex(split("DE1234#NRT34#PL239","#"),random() % 3)
    | table Status     Engage Title   Rating]
| rename COMMENT as "This is sample data"
| rename COMMENT as "From here, the logic is"
| stats count by Status Engage Title Rating
| stats list(Rating) as Rating list(count) as count by Engage Title Status

Hi, @dtccsundar
I didn't know the quantity and type of data, so it looked like this.
If you specify the output table, I can fix it.

0 Karma

to4kawa
Ultra Champion
| makeresults 
| eval _raw="Engage,Title,Status,Rating,Assigned_count_1_H,Assigned_count_1_M,Assigned_count_1_L,Assigned_count_2_H,Assigned_count_2_M,Assigned_count_2_L
DE1234,Windows,Report,2,5,7,5,1,9,3
ky342,Linux,Not Report,6,7,,5,,4,   
Total,,,8,12,7,10,1,13,3" 
| multikv forceheader=1 
| table Engage,Title,Status,Rating,Assigned_count_1_H,Assigned_count_1_M,Assigned_count_1_L,Assigned_count_2_H,Assigned_count_2_M,Assigned_count_2_L

I see what you want. but there is not sample log.

Please check your POST.
[1]: http://C:\Users\acer\Desktop
This is your comment's link.

0 Karma

dtccsundar
Path Finder

I have a question in this
"Assigned_count_1_H,Assigned_count_1_M,Assigned_count_1_L,Assigned_count_2_H,Assigned_count_2_M,Assigned_count_2_L"

How this will work, i am getting error and thats bcaz we dont have these fields as such.
Can you pls help in this

0 Karma

to4kawa
Ultra Champion

the query above is sample your provided result.
I can't make a query, because you don't show sample logs

0 Karma

dtccsundar
Path Finder

Thank you for the search you provided to4kawa.

Actually i am seeing data for the data which i provided above.But i have around 200 other values like this .Can you please help me with a dynamic search which i can apply here .
Further there is a total row at the bottom which will give total for all Rating values (H,M,L)

Example Output format of matrix :

Engage Title Status Rating Assigned_Count_of_Rating Assigned_Count_of_Rating(2)
H L M H L M H L M
DE1234 Windows Report 2 10 5 2 5 6 8 3
NRT34 Linux OOM 5 2 10 5 2 0 1 2 1

Total 7 12 15 7 7 6 1 10 4

Can you please add the below manipulated fields(as above ex format) too in this matrix as i mentioned above my initial question.

Total Count of Rating of H , M, and L (3 fields) should be in different columns
- Assigned Count of Rating of H , M, and L – where Assignee is not empty (3 fields) should be in different columns
- Assigned Count of Rating of H , M, and L – where Assignee is not empty (3 fields) should be in different columns
- Count of Info or Remediated, of Rating of H , M, and L – where Find_Closed = Yes (3 fields) should be in different columns
- Count of To Be Remediated, of DTCC_Rating of H, M, and L – where Find_Closed = No (3 fields) should be in different columns
- Count of OOM – records where Status = OOM Now

0 Karma

to4kawa
Ultra Champion

sorry, i can't understand your matrix.

Engage Title Status Rating Assigned_Count_of_Rating Assigned_Count_of_Rating(2)

There are six fields here.

DE1234 Windows Report 2 10 5 2 5 6 8 3

There are eleven fields.

Is it a matrix? Rating values (H,M,L) ?There is no sample log.

0 Karma

dtccsundar
Path Finder

sorry ,I have been out for a while for holidays , so the delay .
I have attached the sample for the matrix and placed the sample too

alt text

Engage Title Status Rating Assigned count 1 Assigned count 2

H M L H M L
DE1234 Windows Report 2 5 7 5 1 9 3
ky342 Linux Not Report 6 7 5 4

Total 8 12 7 10 1 13 3

0 Karma

aberkow
Builder

It's probably possible, but typically when asking a question here we need a raw log/event to work with. The structure of the query can change dramatically depending on how the logs are formatted, does that make sense?

0 Karma

dtccsundar
Path Finder

HI aberkov,

Thank you for your reply and you are right and that make sense.

It is basically a sql view from which we are creating a sourcetype in splunk .The structure will be like ,
Status Engage Title Rating
Report DE1234 Windows H
OOM NRT34 Linux M
Not Report PL239 Linux L

PLease let me know the search query for this matrix.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...