I'm working on creating an order flow chart and using JointJs for the same. When an order is progressing, it passes through 4-5 application layers multiple times.
For example App A --> order passed through twice, App B --> order passed through five times etc.
While creating the flowchart, I want to show all the times order passed through via App A in single box, likewise for rest of the apps. Using stats command I created multivalues for the same and defined FROM, TO required for jointJS. But when I use multivalue its unable to render joint js diagram. But when I convert multivalue to single value, its able to load. Is there a way how i can create jointJS diagram using multivalue. Below is my whole SPL, incase if my question is not clear.
Working Single Value:
index="ccb-eai" "1-324447214042" (("SalesOrderProvisioningAcknowledgement" AND "CCB EAI SalesOrderProvisioningAcknowledgement Req" ) OR ("ACSSalesOrderProvisioning" AND "Splunk.MonitorMessage.Request") OR ("SalesOrderItemResponse" AND "Splunk.MonitorMessage.Request"))
| fields - _raw
| table _time,source,bename
| eval STATUS=case(bename=="ACSSalesOrderProvisioning","Order Received in EAI",bename=="SalesOrderProvisioningAcknowledgement","SOPA Received in EAI",bename=="SalesOrderItemResponse","SOIR Received in EAI")
| table _time,STATUS
| append
[ search index="islful" "1-324447214042" "createOrder" "REQUEST_INBOUND"
| eval STATUS="Order Received in ISLFUL"
| table _time,STATUS]
| append
[ search index="ccb-eai" "1-324447214042" bename=ACSSalesOrderProvisioning
| rex "(?i)\(?P[^<]+)"
| rex "(?i)\(?P[^<]+)"
| table _time,SubmitDate,CreateDate
| rename CreateDate as "Order Created in RCRM",SubmitDate as "Order Submitted in RCRM"
| transpose 0
| where column!="_time"
| rename "row 1" as "row" , column as "STATUS"
| eval _time=strptime(row,"%m/%d/%Y %H:%M:%S")
| fields - row]
| append
[| inputlookup kv_tcoe_order_timeline_tracker
| where like(OrderNumber,"%1-324447214042%")
| eval STATUS="Order Received in OMFUL"
| eval _time=strptime(Time,"%Y-%m-%d %H:%M:%S")
| table _time,STATUS]
| append
[ search index=omful source=OMFUL_DB_TBL_CONTRACT* "*1-324447214042*"
| eval _time=strptime(MODIFIED_DATE,"%Y-%m-%d %H:%M:%S")
| eval STATUS="Order ".STATUS." in OMFUL"
| table _time,STATUS]
| sort _time
| eval Timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S.%3Q")
| eval STATUS=Timestamp."-->".STATUS
|eval FROM=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"RCRM", like(STATUS,"%Order Received in ISLFUL%"),"EAI", like(STATUS,"%Order Received in OMFUL%"),"ISLFUL", like(STATUS,"%SOPA Received in EAI%"),"ISLFUL", like(STATUS,"%Order In Progress in OMFUL%"),"OMFUL", like(STATUS,"%SOIR Received in EAI%"),"ISLFUL")
|eval TO=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"EAI", like(STATUS,"%Order Received in ISLFUL%"),"ISLFUL", like(STATUS,"%Order Received in OMFUL%"),"OMFUL", like(STATUS,"%SOPA Received in EAI%"),"EAI", like(STATUS,"%Order In Progress in OMFUL%"),"ISLFUL", like(STATUS,"%SOIR Received in EAI%"),"EAI")
|eval App=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"EAI", like(STATUS,"%Order Received in ISLFUL%"),"ISLFUL", like(STATUS,"%Order Received in OMFUL%"),"OMFUL", like(STATUS,"%SOPA Received in EAI%"),"EAI", like(STATUS,"%Order In Progress in OMFUL%"),"OMFUL", like(STATUS,"%SOIR Received in EAI%"),"EAI")
|stats list(STATUS) as STATUS,list(Timestamp) as Timestamp by App
|sort - STATUS
| streamstats current=false window=1 values(STATUS) as TO
|sort STATUS
|where isnotnull(TO)
|rename STATUS as "FROM"
|fields FROM,TO,App
|eval FROM=mvjoin(FROM,",")
|eval TO=mvjoin(TO,",")
Not Working Multivalue:
index="ccb-eai" "1-324447214042" (("SalesOrderProvisioningAcknowledgement" AND "CCB EAI SalesOrderProvisioningAcknowledgement Req" ) OR ("ACSSalesOrderProvisioning" AND "Splunk.MonitorMessage.Request") OR ("SalesOrderItemResponse" AND "Splunk.MonitorMessage.Request"))
| fields - _raw
| table _time,source,bename
| eval STATUS=case(bename=="ACSSalesOrderProvisioning","Order Received in EAI",bename=="SalesOrderProvisioningAcknowledgement","SOPA Received in EAI",bename=="SalesOrderItemResponse","SOIR Received in EAI")
| table _time,STATUS
| append
[ search index="islful" "1-324447214042" "createOrder" "REQUEST_INBOUND"
| eval STATUS="Order Received in ISLFUL"
| table _time,STATUS]
| append
[ search index="ccb-eai" "1-324447214042" bename=ACSSalesOrderProvisioning
| rex "(?i)\(?P[^<]+)"
| rex "(?i)\(?P[^<]+)"
| table _time,SubmitDate,CreateDate
| rename CreateDate as "Order Created in RCRM",SubmitDate as "Order Submitted in RCRM"
| transpose 0
| where column!="_time"
| rename "row 1" as "row" , column as "STATUS"
| eval _time=strptime(row,"%m/%d/%Y %H:%M:%S")
| fields - row]
| append
[| inputlookup kv_tcoe_order_timeline_tracker
| where like(OrderNumber,"%1-324447214042%")
| eval STATUS="Order Received in OMFUL"
| eval _time=strptime(Time,"%Y-%m-%d %H:%M:%S")
| table _time,STATUS]
| append
[ search index=omful source=OMFUL_DB_TBL_CONTRACT* "*1-324447214042*"
| eval _time=strptime(MODIFIED_DATE,"%Y-%m-%d %H:%M:%S")
| eval STATUS="Order ".STATUS." in OMFUL"
| table _time,STATUS]
| sort _time
| eval Timestamp=strftime(_time,"%Y-%m-%d %H:%M:%S.%3Q")
| eval STATUS=Timestamp."-->".STATUS
|eval FROM=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"RCRM", like(STATUS,"%Order Received in ISLFUL%"),"EAI", like(STATUS,"%Order Received in OMFUL%"),"ISLFUL", like(STATUS,"%SOPA Received in EAI%"),"ISLFUL", like(STATUS,"%Order In Progress in OMFUL%"),"OMFUL", like(STATUS,"%SOIR Received in EAI%"),"ISLFUL")
|eval TO=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"EAI", like(STATUS,"%Order Received in ISLFUL%"),"ISLFUL", like(STATUS,"%Order Received in OMFUL%"),"OMFUL", like(STATUS,"%SOPA Received in EAI%"),"EAI", like(STATUS,"%Order In Progress in OMFUL%"),"ISLFUL", like(STATUS,"%SOIR Received in EAI%"),"EAI")
|eval App=case(like(STATUS,"%Order Created in RCRM%"),"RCRM", like(STATUS,"%Order Submitted in RCRM%"),"RCRM", like(STATUS,"%Order Received in EAI%"),"EAI", like(STATUS,"%Order Received in ISLFUL%"),"ISLFUL", like(STATUS,"%Order Received in OMFUL%"),"OMFUL", like(STATUS,"%SOPA Received in EAI%"),"EAI", like(STATUS,"%Order In Progress in OMFUL%"),"OMFUL", like(STATUS,"%SOIR Received in EAI%"),"EAI")
|stats list(STATUS) as STATUS,list(Timestamp) as Timestamp by App
|sort - STATUS
| streamstats current=false window=1 values(STATUS) as TO
|sort STATUS
|where isnotnull(TO)
|rename STATUS as "FROM"
|fields FROM,TO,App
Regards,
Chris.
↧