https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266579#M176387 <P>Hi,</P> <P>Thanks for your try but that still isnt quite there.</P> <P>Simply put I think I need to add the vamAssetId field and value to each event that matches the specific jobId.</P> <P>I.e if there is one event with:</P> <P>jobId=527A63<BR /> vamAssetId=815164</P> <P>I need every event with jobId=527A63 to have vamAssetId=815164 added to it. This seems like the simplest solution but I've run out of brain power to do it.</P> Mon, 24 Oct 2016 10:38:27 GMT 999chris 2016-10-24T10:38:27Z https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266574#M176382 <P>Hi,</P> <P>Here are a few log examples (I've just shown the fields extracted for simplicity):</P> <P>00:19:07 -<BR /> jobId=527A63<BR /> vamAssetId=815164</P> <P>00:37:15 -<BR /> jobId=527A63<BR /> status=encoding<BR /> progress=20</P> <P>10:08:28 -<BR /> jobId=EE7086<BR /> vamAssetId=2359740</P> <P>10:08:37 -<BR /> jobId=EE7086<BR /> status=starting</P> <P>...</P> <P>So I'd like to present the statuses of each vamAssetId in a table - thus:</P> <PRE><CODE>|vamAssetId|status |progress |815164 |encoding|20 |2359740 |starting |0 </CODE></PRE> <P>Trouble is the "vamAssetId" fields are not referenced in the same events as a "status" or "progress". The vamAssetId is assigned a jobId early on and the jobId is the only common reference between the two.</P> <P>I have the current search query, but I cant finish off and display this information logically. Could you help please?</P> <PRE><CODE>index=ateme [search index=ateme vamAssetId=815164 | fields jobId] | eval progress=if(status="complete",100,if(status="starting",0,progress)) | table jobId status progress </CODE></PRE> Thu, 20 Oct 2016 09:44:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266574#M176382 999chris 2016-10-20T09:44:04Z https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266575#M176383 <P>Try this. </P> <PRE><CODE>index=ateme | transaction jobId | eval progress=case(status="complete",100, status="starting",0, 1=1, progress) | table vamAssetId jobId status progress </CODE></PRE> Thu, 20 Oct 2016 12:06:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266575#M176383 richgalloway 2016-10-20T12:06:20Z https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266576#M176384 <P>Hi Rich,</P> <P>Thanks for your reply. But this is not matching any events.</P> Thu, 20 Oct 2016 12:19:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266576#M176384 999chris 2016-10-20T12:19:28Z https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266577#M176385 <P>Try this</P> <PRE><CODE>index=ateme | eventstats values(vamAssetId) as vamAssetId by jobid | eval progress=if(status="complete",100,if(status="starting",0,progress)) | stats latest(status) as status latest(progress) as progress by vamAssetId | fillnull </CODE></PRE> <P>*<STRONG><EM>OR</EM></STRONG>*</P> <PRE><CODE>index=ateme | eventstats values(vamAssetId) as vamAssetId by jobid | eval progress=if(status="complete",100,if(status="starting",0,progress)) | where isnotnull(status) OR isnotnull(progress) | table vamAssetId status progres </CODE></PRE> Thu, 20 Oct 2016 12:52:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266577#M176385 sundareshr 2016-10-20T12:52:01Z https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266578#M176386 <P>Hi,</P> <P>Thanks for your try but that still isnt quite there.</P> <P>Simply put I think I need to add the vamAssetId field and value to each event that matches the specific jobId.</P> <P>I.e if there is one event with:</P> <P>jobId=527A63<BR /> vamAssetId=815164</P> <P>I need every event with jobId=527A63 to have vamAssetId=815164 added to it. This seems like the simplest solution but I've run out of brain power to do it.</P> Thu, 20 Oct 2016 13:30:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266578#M176386 999chris 2016-10-20T13:30:24Z https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266579#M176387 <P>Hi,</P> <P>Thanks for your try but that still isnt quite there.</P> <P>Simply put I think I need to add the vamAssetId field and value to each event that matches the specific jobId.</P> <P>I.e if there is one event with:</P> <P>jobId=527A63<BR /> vamAssetId=815164</P> <P>I need every event with jobId=527A63 to have vamAssetId=815164 added to it. This seems like the simplest solution but I've run out of brain power to do it.</P> Mon, 24 Oct 2016 10:38:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266579#M176387 999chris 2016-10-24T10:38:27Z https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266580#M176388 <PRE><CODE>index=ateme [search index=ateme vamAssetId=$asset_id$ | fields jobId] | transaction jobId maxspan=3d | stats first(status) as Status max(progress) as Progress by filename | eval Progress=case(Status="complete",100, status="starting",0, 1=1, Progress) | rename filename as Filename </CODE></PRE> <P>Was the modified version. This worked perfectly. Cheers</P> Mon, 24 Oct 2016 17:05:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-cross-reference-2-fields-or-back-reference/m-p/266580#M176388 999chris 2016-10-24T17:05:09Z