https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535811#M151452 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp;</P><P>Thanks for reply. But in this spl I am getting all the extracted field.</P><P>For more information. I have posted 2 files. one is containing "Failed" and other is "Passed" in the last 2 LogItem tag.</P><P>I just wanted to extract the as below:</P><P>Timestamp</P><TABLE border="1" width="100.18248044394593%"><TBODY><TR><TD width="33.333333333333336%"><STRONG>Timestamp</STRONG></TD><TD width="16.666666666666668%"><STRONG>File</STRONG></TD><TD width="16.666666666666668%"><STRONG>Status</STRONG></TD><TD width="8.333333333333334%"><STRONG>Message</STRONG></TD></TR><TR><TD width="33.333333333333336%">12/15/2020 2:45:11 AM.226</TD><TD width="16.666666666666668%">File 1</TD><TD width="16.666666666666668%">Failed</TD><TD width="8.333333333333334%">No files found. Stopped.</TD></TR><TR><TD width="33.333333333333336%">1/6/2021 2:45:05 AM.587</TD><TD width="16.666666666666668%">File 2</TD><TD width="16.666666666666668%">Passed</TD><TD width="8.333333333333334%">Download of file.txt succeeded.</TD></TR></TBODY></TABLE> Thu, 14 Jan 2021 10:52:28 GMT dhirendra761 2021-01-14T10:52:28Z https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535726#M151414 <P>Hi Splunkers,</P><P>Below is my issue:</P><P>Having multiple xml files, I need to monitor all the files and extracted the values from<STRONG>&nbsp;<SPAN>Status (Failed or Passed)&nbsp;and&nbsp;Message.</SPAN></STRONG></P><P><STRONG><SPAN>1) If status =&nbsp;<EM>Failed<FONT face="inherit">&nbsp;then extract&nbsp;the "2nd last" message of LogItem value (ex:&nbsp;<FONT color="#FF0000">No&nbsp;files&nbsp;found.&nbsp;Stopped. )</FONT></FONT></EM></SPAN></STRONG></P><P><SPAN><STRONG>1) If status =&nbsp;<EM>Passed<FONT face="inherit">&nbsp;then extract&nbsp;the "last" message of LogItem value (ex:<FONT color="#FF0000">&nbsp;Download&nbsp;of&nbsp;file.txt&nbsp;succeeded.&nbsp;)</FONT></FONT></EM></STRONG></SPAN></P><P>I am trying as below but need to correct it.</P><LI-SPOILER>&lt;search&gt; | spath output=Message path=LogFile.LogItem.Message{2}<BR />| spath output=Timestamp path=LogFile.LogItem{@Timestamp}<BR />| spath output=Status path=LogFile.LogItem{@Status}<BR />| stats last(eval(Status="Passed")) as Passed_Status first(eval(Status="Failed")) as Failed_Status last(Timestamp) as Timestamp last(Message) as last_Message first(Message) as first_Message by source</LI-SPOILER><P>Thank you in advance!.</P><P>&nbsp;</P><LI-CODE lang="markup">FIRST FILE: &lt;LogFile&gt; &lt;LogItem Timestamp="12/15/2020 2:45:04 AM.412" Priority="0" Status="Neutral" Sequence="1"&gt; &lt;Message&gt;Download start at 12/15/2020 2:45:04 AM &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="12/15/2020 2:45:04 AM.414" Priority="0" Status="Neutral" Sequence="2"&gt; &lt;Message&gt;Setup Configuration&lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="12/15/2020 2:45:04 AM.420" Priority="0" Status="Neutral" Sequence="3"&gt; &lt;Message&gt;Session starts to connect. &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="12/15/2020 2:45:08 AM.797" Priority="0" Status="Passed" Sequence="4"&gt; &lt;Message&gt;Session connected successfully. &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="12/15/2020 2:45:08 AM.799" Priority="0" Status="Neutral" Sequence="5"&gt; &lt;Message&gt;starts to tranfer file. &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="12/15/2020 2:45:11 AM.226" Priority="0" Status="Failed" Sequence="6"&gt; &lt;Message&gt;No files found. Stopped. &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="12/15/2020 2:45:11 AM.345" Priority="0" Status="Failed" Sequence="7"&gt; &lt;Message&gt;Error StackTrace: at XXX.Program.Main(String[] args) &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;/LogFile&gt; =================================================================== SECOND File: &lt;LogFile&gt; &lt;LogItem Timestamp="06/12/2020 10:25:04.69" Priority="0" Status="Neutral" Sequence="1"&gt; &lt;Message&gt;Download start at 06/12/2020 10:25:04 &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="06/12/2020 10:25:04.72" Priority="0" Status="Neutral" Sequence="2"&gt; &lt;Message&gt;Setup Configuration&lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="06/12/2020 10:25:04.78" Priority="0" Status="Neutral" Sequence="3"&gt; &lt;Message&gt;Session starts to connect. &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="06/12/2020 10:25:05.243" Priority="0" Status="Passed" Sequence="4"&gt; &lt;Message&gt;Session connected successfully. &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="06/12/2020 10:25:05.246" Priority="0" Status="Neutral" Sequence="5"&gt; &lt;Message&gt;starts to tranfer file. &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="1/6/2021 2:45:05 AM.587" Priority="0" Status="Passed" Sequence="6"&gt; &lt;Message&gt;Session connected successfully. &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp="1/6/2021 2:45:08 AM.274" Priority="0" Status="Passed" Sequence="7"&gt; &lt;Message&gt;Download of file.txt succeeded. &lt;/Message&gt; &lt;StackTrace Depth="1" Method="XXX.Program.Main"/&gt; &lt;/LogItem&gt; &lt;/LogFile&gt;</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 13 Jan 2021 22:19:59 GMT https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535726#M151414 dhirendra761 2021-01-13T22:19:59Z https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535780#M151439 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/15147">@somesoni2</a>,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/1406">@woodcock</a>&nbsp;,&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/73220">@sdchakraborty</a>&nbsp;Any input on this please.</P><P>Thank you.</P> Thu, 14 Jan 2021 08:32:37 GMT https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535780#M151439 dhirendra761 2021-01-14T08:32:37Z https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535793#M151446 <LI-CODE lang="markup">index=_internal | head 1 | fields _raw _time |eval _raw="&lt;LogFile&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:04 AM.412\" Priority=\"0\" Status=\"Neutral\" Sequence=\"1\"&gt; &lt;Message&gt;Download start at 12/15/2020 2:45:04 AM &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:04 AM.414\" Priority=\"0\" Status=\"Neutral\" Sequence=\"2\"&gt; &lt;Message&gt;Setup Configuration&lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:04 AM.420\" Priority=\"0\" Status=\"Neutral\" Sequence=\"3\"&gt; &lt;Message&gt;Session starts to connect. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:08 AM.797\" Priority=\"0\" Status=\"Passed\" Sequence=\"4\"&gt; &lt;Message&gt;Session connected successfully. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:08 AM.799\" Priority=\"0\" Status=\"Neutral\" Sequence=\"5\"&gt; &lt;Message&gt;starts to tranfer file. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:11 AM.226\" Priority=\"0\" Status=\"Failed\" Sequence=\"6\"&gt; &lt;Message&gt;No files found. Stopped. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:11 AM.345\" Priority=\"0\" Status=\"Failed\" Sequence=\"7\"&gt; &lt;Message&gt;Error StackTrace: at XXX.Program.Main(String[] args) &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;/LogFile&gt;" | appendpipe [ | eval _raw="&lt;LogFile&gt; &lt;LogItem Timestamp=\"06/12/2020 10:25:04.69\" Priority=\"0\" Status=\"Neutral\" Sequence=\"1\"&gt; &lt;Message&gt;Download start at 06/12/2020 10:25:04 &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"06/12/2020 10:25:04.72\" Priority=\"0\" Status=\"Neutral\" Sequence=\"2\"&gt; &lt;Message&gt;Setup Configuration&lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"06/12/2020 10:25:04.78\" Priority=\"0\" Status=\"Neutral\" Sequence=\"3\"&gt; &lt;Message&gt;Session starts to connect. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"06/12/2020 10:25:05.243\" Priority=\"0\" Status=\"Passed\" Sequence=\"4\"&gt; &lt;Message&gt;Session connected successfully. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"06/12/2020 10:25:05.246\" Priority=\"0\" Status=\"Neutral\" Sequence=\"5\"&gt; &lt;Message&gt;starts to tranfer file. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"1/6/2021 2:45:05 AM.587\" Priority=\"0\" Status=\"Passed\" Sequence=\"6\"&gt; &lt;Message&gt;Session connected successfully. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"1/6/2021 2:45:08 AM.274\" Priority=\"0\" Status=\"Passed\" Sequence=\"7\"&gt; &lt;Message&gt;Download of file.txt succeeded. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;/LogFile&gt;"] | spath LogFile output=Logfile | streamstats count as session | stats count by Logfile session | rex field=Logfile mode=sed "s/(?ms)(LogItem\&gt;)/\1#/g" | makemv delim="#" Logfile | mvexpand Logfile | spath input=Logfile | rename LogItem.* as LogItem_*, *{@*} as *_* | sort session LogItem_Sequence | fields - count Logfile</LI-CODE> Thu, 14 Jan 2021 09:15:04 GMT https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535793#M151446 to4kawa 2021-01-14T09:15:04Z https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535811#M151452 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp;</P><P>Thanks for reply. But in this spl I am getting all the extracted field.</P><P>For more information. I have posted 2 files. one is containing "Failed" and other is "Passed" in the last 2 LogItem tag.</P><P>I just wanted to extract the as below:</P><P>Timestamp</P><TABLE border="1" width="100.18248044394593%"><TBODY><TR><TD width="33.333333333333336%"><STRONG>Timestamp</STRONG></TD><TD width="16.666666666666668%"><STRONG>File</STRONG></TD><TD width="16.666666666666668%"><STRONG>Status</STRONG></TD><TD width="8.333333333333334%"><STRONG>Message</STRONG></TD></TR><TR><TD width="33.333333333333336%">12/15/2020 2:45:11 AM.226</TD><TD width="16.666666666666668%">File 1</TD><TD width="16.666666666666668%">Failed</TD><TD width="8.333333333333334%">No files found. Stopped.</TD></TR><TR><TD width="33.333333333333336%">1/6/2021 2:45:05 AM.587</TD><TD width="16.666666666666668%">File 2</TD><TD width="16.666666666666668%">Passed</TD><TD width="8.333333333333334%">Download of file.txt succeeded.</TD></TR></TBODY></TABLE> Thu, 14 Jan 2021 10:52:28 GMT https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535811#M151452 dhirendra761 2021-01-14T10:52:28Z https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535815#M151453 <LI-CODE lang="markup">.... | where match(LogItem_Message,"Stopped|succeeded")</LI-CODE><P>I don't think it can be judged on your terms.<BR />How can you tell the difference between "Failed" and "Passed"?</P> Thu, 14 Jan 2021 11:07:38 GMT https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535815#M151453 to4kawa 2021-01-14T11:07:38Z https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535817#M151454 <P>Yes you are right. But I was thinking to extract 2nd last message when status=failed otherwise extract last message.</P><P>Something by stats command.</P><P>Isn't possible?</P> Thu, 14 Jan 2021 11:18:12 GMT https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535817#M151454 dhirendra761 2021-01-14T11:18:12Z https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535824#M151455 <LI-CODE lang="markup">... | eventstats max(LogItem_Sequence) as last_sequence by session | where (LogItem_Status="Failed" AND LogItem_Sequence=last_sequence - 1) OR (LogItem_Status="Passed" AND LogItem_Sequence=last_sequence)</LI-CODE> Thu, 14 Jan 2021 11:57:02 GMT https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535824#M151455 to4kawa 2021-01-14T11:57:02Z https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535841#M151462 <P>Hi Dhirendra,</P><P>Can you try the below query,<BR /><BR /></P><LI-CODE lang="markup">index=_internal | head 1 | fields _raw _time |eval _raw="&lt;LogFile&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:04 AM.412\" Priority=\"0\" Status=\"Neutral\" Sequence=\"1\"&gt; &lt;Message&gt;Download start at 12/15/2020 2:45:04 AM &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:04 AM.414\" Priority=\"0\" Status=\"Neutral\" Sequence=\"2\"&gt; &lt;Message&gt;Setup Configuration&lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:04 AM.420\" Priority=\"0\" Status=\"Neutral\" Sequence=\"3\"&gt; &lt;Message&gt;Session starts to connect. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:08 AM.797\" Priority=\"0\" Status=\"Passed\" Sequence=\"4\"&gt; &lt;Message&gt;Session connected successfully. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:08 AM.799\" Priority=\"0\" Status=\"Neutral\" Sequence=\"5\"&gt; &lt;Message&gt;starts to tranfer file. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:11 AM.226\" Priority=\"0\" Status=\"Failed\" Sequence=\"6\"&gt; &lt;Message&gt;No files found. Stopped. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"12/15/2020 2:45:11 AM.345\" Priority=\"0\" Status=\"Failed\" Sequence=\"7\"&gt; &lt;Message&gt;Error StackTrace: at XXX.Program.Main(String[] args) &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;/LogFile&gt;", source = "file1" | appendpipe [ | eval _raw="&lt;LogFile&gt; &lt;LogItem Timestamp=\"06/12/2020 10:25:04.69\" Priority=\"0\" Status=\"Neutral\" Sequence=\"1\"&gt; &lt;Message&gt;Download start at 06/12/2020 10:25:04 &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"06/12/2020 10:25:04.72\" Priority=\"0\" Status=\"Neutral\" Sequence=\"2\"&gt; &lt;Message&gt;Setup Configuration&lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"06/12/2020 10:25:04.78\" Priority=\"0\" Status=\"Neutral\" Sequence=\"3\"&gt; &lt;Message&gt;Session starts to connect. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"06/12/2020 10:25:05.243\" Priority=\"0\" Status=\"Passed\" Sequence=\"4\"&gt; &lt;Message&gt;Session connected successfully. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"06/12/2020 10:25:05.246\" Priority=\"0\" Status=\"Neutral\" Sequence=\"5\"&gt; &lt;Message&gt;starts to tranfer file. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"1/6/2021 2:45:05 AM.587\" Priority=\"0\" Status=\"Passed\" Sequence=\"6\"&gt; &lt;Message&gt;Session connected successfully. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;LogItem Timestamp=\"1/6/2021 2:45:08 AM.274\" Priority=\"0\" Status=\"Passed\" Sequence=\"7\"&gt; &lt;Message&gt;Download of file.txt succeeded. &lt;/Message&gt; &lt;StackTrace Depth=\"1\" Method=\"XXX.Program.Main\"/&gt; &lt;/LogItem&gt; &lt;/LogFile&gt;", source = "file2"] | spath LogFile.LogItem{@Status} output=status | spath LogFile.LogItem.Message output=Message | table source,status,Message | eval latest_status = mvindex(status,-1) | eval Final_Msg = case(latest_status="Failed",mvindex(Message,-2),latest_status="Passed",mvindex(Message,-1))</LI-CODE> Thu, 14 Jan 2021 13:37:45 GMT https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535841#M151462 techiesid 2021-01-14T13:37:45Z https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535859#M151471 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/162676">@techiesid</a>&nbsp;,</P><P>&nbsp;</P><P>Thank you so much it work perfectly!.<span class="lia-unicode-emoji" title=":grinning_face:">😀</span><span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> Thu, 14 Jan 2021 15:26:30 GMT https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535859#M151471 dhirendra761 2021-01-14T15:26:30Z https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535863#M151473 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/184221">@to4kawa</a>&nbsp;,</P><P>Thank for answers,<STRONG> I am getting exact result after apply your suggested query</STRONG>.<span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P><LI-CODE lang="markup">&lt;search&gt;.....| spath LogFile output=Logfile | streamstats count as session | stats count first(source) as source by Logfile session | rex field=Logfile mode=sed "s/(?ms)(LogItem\&gt;)/\1#/g" | makemv delim="#" Logfile | mvexpand Logfile | spath input=Logfile | rename LogItem.* as LogItem_*, *{@*} as *_* | eventstats max(LogItem_Sequence) as last_sequence first(source) by session | where (LogItem_Status="Failed" AND LogItem_Sequence=last_sequence - 1) OR (LogItem_Status="Passed" AND LogItem_Sequence=last_sequence)</LI-CODE><P>Although, I accepted the other answer as it was too simple to understand.</P><P>Thank you for your support and time.&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> Thu, 14 Jan 2021 15:41:27 GMT https://community.splunk.com/t5/Splunk-Search/Extract-values-from-field-conditionally-on-other-field-value/m-p/535863#M151473 dhirendra761 2021-01-14T15:41:27Z