https://community.splunk.com/t5/Splunk-Search/Translating-SQL-Query-into-Splunk-Search-Query-quot-LAG-OVER/m-p/54201#M13224 <P>Hi, I got stuck in translating the following SQL query into Splunk Search Query:</P> <P>"<STRONG>LAG</STRONG> ( BCOLLDT, 1) <STRONG>OVER</STRONG> ( <STRONG>PARTITION BY</STRONG> PID <STRONG>ORDER BY</STRONG> PID, BCOLLDT, LASTREPTDT, PRCPDD, EXECPRCPUNIQNO )"</P> <P>Here, BCOLLDT, PID, LASTREPTDT, PRCPDD, EXECPRCPUNIQNO are fields, respectively.</P> <P>Any help ??</P> Wed, 05 Dec 2012 05:34:43 GMT syusjk6 2012-12-05T05:34:43Z https://community.splunk.com/t5/Splunk-Search/Translating-SQL-Query-into-Splunk-Search-Query-quot-LAG-OVER/m-p/54201#M13224 <P>Hi, I got stuck in translating the following SQL query into Splunk Search Query:</P> <P>"<STRONG>LAG</STRONG> ( BCOLLDT, 1) <STRONG>OVER</STRONG> ( <STRONG>PARTITION BY</STRONG> PID <STRONG>ORDER BY</STRONG> PID, BCOLLDT, LASTREPTDT, PRCPDD, EXECPRCPUNIQNO )"</P> <P>Here, BCOLLDT, PID, LASTREPTDT, PRCPDD, EXECPRCPUNIQNO are fields, respectively.</P> <P>Any help ??</P> Wed, 05 Dec 2012 05:34:43 GMT https://community.splunk.com/t5/Splunk-Search/Translating-SQL-Query-into-Splunk-Search-Query-quot-LAG-OVER/m-p/54201#M13224 syusjk6 2012-12-05T05:34:43Z https://community.splunk.com/t5/Splunk-Search/Translating-SQL-Query-into-Splunk-Search-Query-quot-LAG-OVER/m-p/54202#M13225 <P>It would help those of us who don't use Oracle SQL if we could understand the problem in English. My interpretation is</P> <P><EM>For each PID, sort the events by the list of fields, then compare the BCOLLDT value in each event with the BCOLLDT value in the preceding event.</EM></P> <P>But I could be very wrong. And that still doesn't tell me - "what are you trying to accomplish?"</P> <P>I often find that a completely different approach with Splunk can give a better answer more quickly. I hesitate to simply translate from SQL to SPL.</P> Wed, 05 Dec 2012 08:28:18 GMT https://community.splunk.com/t5/Splunk-Search/Translating-SQL-Query-into-Splunk-Search-Query-quot-LAG-OVER/m-p/54202#M13225 lguinn2 2012-12-05T08:28:18Z https://community.splunk.com/t5/Splunk-Search/Translating-SQL-Query-into-Splunk-Search-Query-quot-LAG-OVER/m-p/54203#M13226 <P>I'm not very proficient in Oracle SQL syntax either, but maybe this could help somehow? <A href="http://splunk-base.splunk.com/answers/41986/lead-lag-in-splunk">http://splunk-base.splunk.com/answers/41986/lead-lag-in-splunk</A></P> Wed, 05 Dec 2012 08:46:02 GMT https://community.splunk.com/t5/Splunk-Search/Translating-SQL-Query-into-Splunk-Search-Query-quot-LAG-OVER/m-p/54203#M13226 Ayn 2012-12-05T08:46:02Z