I have a set of ticket data and trying to match the words with the description to track issues. My current search is getting duplicates and I'm wondering if this is the best approach anyway.
Current search:
index=myindex sourcetype=blah | makemv delim="##Survey##" description | eval description=mvindex(description,0) | makemv description | mvexpand description | search description [ | inputlookup TicketWords.csv | rename Words as description ] | eval description=lower(description) | top 50 description
TicketWords.csv = 34 entries under Words
Search would match “phone”, but also iphone and causes duplicates. Here is a sample event:
"2016-10-31 08:16:04" incidentId="16245821", active="1", createBy="x213163", fullname="Smith, John", createDate="2016-10-31 12:14:35.817", description="I just migrated to phone and have 2 x 24" monitors. Both display the same output. Can't change to have two independent monitors.
##Survey##
Please choose the option which best describes your problem.: MONITOR CONFIGURATION ON DESKTOP OR LAPTOP - Do you need assistance setting up multiple monitors on your corporate laptop or desktop?: yes - Your ticket has been identified as an issue that can be resolved with the assistance of the Hub website. Among other features, this site will show you How-To Setup Dual Monitors on a Desktop or Laptop. https://hub.my.net/HowTo/HowToLandingPage?helparticle=6441: - Did the above solution resolve your issue?: no - Please select an option: I tried applying the solution but it did not fix my issue", groupId="5191", groupName="Blah NA TTT Desktop Enterprise"
↧