topic Re: Getting a field value from the previous event in Splunk Search

Getting a field value from the previous event

OL — Fri, 05 Aug 2011 10:14:00 GMT

Hi all,

I'd like to retrieve a field value from the previous event. I've used streamstats last(myfield), but this takes the value from the current event and not from the previous one.

Explanation: I have:

field1=abc, field2=abc2
field1=def, field2=def2
field1=ghi, field2=ghi2

I'd like to have:

field1=abc, field2=abc2, oldfield2= (or nothing)
field1=def, field2=def2, oldfield2=abc2
field1=ghi, field2=ghi2, oldfield2=def2

Using "streamstats last()" gives me:

field1=abc, field2=abc2, oldfield2=abc2
field1=def, field2=def2, oldfield2=def2
field1=ghi, field2=ghi2, oldfield2=ghi2

Would anyone have any idea?

Regards,
Olivier

Re: Getting a field value from the previous event

gkanapathy — Fri, 05 Aug 2011 12:27:34 GMT

Use the parameter "current=f" in streamstats.

Re: Getting a field value from the previous event

OL — Mon, 08 Aug 2011 10:12:33 GMT

It seems to have a documentation mistake on the default value for the "current" parameter. It mentions the default is be false while if you don't set this parameter in the command, it sets it to true! I'm using version 4.2.2, build 101277.

Thank you very much for your answer.

Regards, Olivier

Re: Getting a field value from the previous event

Lowell — Mon, 08 Aug 2011 18:22:47 GMT

You can add a comment/note to the docs (online), or email docs@splunk.com. Otherwise this comment may go unnoticed.