I have clients that are identified differently in different sourcetypes but they all resolve to the same client name. I have a lookup table that has the different identifiers and their “friendly name”. The table looks like this:
cs_username, site_id, Client
jacks-box1, jacksonUp, Jacksonville
macon-no2, maconUp, Macon
atl01, atlantaUp, Atlanta
Sourcetypes are IIS Log files and a custom inventory log that is generated at each location and uploaded. I need to combine information from both sourcetypes into one table. I have a search that looks like this and it works perfectly for the IIS sourcetype. Note that this search has been obfuscated.
sourcetype="iis" [inputlookup ClientList.csv | fields cs_username]
| eval Agent=cs_User_Agent_
| makemv delim=";" Agent | eval Data=mvindex(Agent,2)
| makemv delim="/" Data
| eval Open=mvindex(Data,0)
| eval Available=mvindex(Data,1)
| eval Hits=mvindex(Data,2)
| append [ search sourcetype="iis" [inputlookup ClientList.csv | fields cs_username]
GET cs_uri_stem="*region*/Recvd*.pdf"
| stats sum(sc_bytes) as Bytes by cs_username | eval MB=Bytes/1024/1024 | eval MB=round(MB,1)]
| append [search sourcetype="iis" [inputlookup ClientList.csv | fields cs_username] GET cs_uri_stem="*region*/Recvd*" .pdf| stats count(cs_uri_stem) as Recvd by cs_username]
| lookup ClientList.csv cs_username OUTPUT Client
| stats first(Client) AS Client, first(Open) as Open, first(Available) as Available, first(Hits) as Hits, first(MB) as MB, first(Recvd) AS Recvd sum(eval(sc_bytes/1024/1024)) as MBs
| fillnull value="0" Recvd MB
| rename MB as "Recvd MB"
| table Client, Open, Available, Hits, Hours, Recvd, "Recvd MB"
The second append counts the number of PDF files the client received. The output looks like this:
| Client | Open | Available | Hits | Hours | Recvd | MB Recvd |
| Jacksonville | 126 | 0 | 325 | .25 | 18 | 185 |
| Atlanta | 92 | 0 | 220 | .12 | 9 | 75 |
| Macon | 140 | 1 | 571 | .51 | 27 | 248 |
I have a new sourcetype called inventory that contains information about the PDF files the User was supposed to receive on any given day. The key field is site_id which, as can be seen in the lookup table above, is different than the cs_username in the IIS sourcetype. I need to insert a search that looks like this right before the second append, above.
| append [search sourcetype="inventory" del_date="13/05/*" [inputlookup ClientList.csv | fields site_id] .pdf| stats count(del_date) as Assign by site_id
| lookup ClientList.csv site_id OUTPUT Client]
This search, in and of itself works. I need to place the value “Assign” to the immediate left of the Recvd column. Then the output would look like this.
| Client | Open | Available | Hits | Hours | Assign | Recvd | MB Recvd |
| Jacksonville | 126 | 0 | 325 | .25 | 18 | 18 | 185 |
| Atlanta | 92 | 0 | 220 | .12 | 10 | 9 | 75 |
| Macon | 140 | 1 | 571 | .51 | 27 | 27 | 248 |
For the life of me I can’t figure out how to make this append work. The overall search runs but the Assign column is always blank. I can add it to the fillnull function and get a zero for each record so I know that the field is being processed. I have included the field in the stats section.