https://community.splunk.com/t5/Splunk-Search/set-a-flag-in-based-on-field-value-in-multiple-row/m-p/686827#M234249 <P>There are a number of ways to do this - the example below uses&nbsp;<STRONG>makeresults</STRONG> to create your example data&nbsp;</P><P>Simple way 1 - use eventstats to collect all networks for each server and then check if the results contain fw-network-X where X is the network the server is on</P><LI-CODE lang="markup">| makeresults format=csv data="server,network,firewall server-1,network-1,yes server-1,fw-network-1,yes server-2,network-2,no server-3,network-1,yes server-3,fw-network-1,yes server-4,network-2,no server-5,network-3,yes server-5,fw-network-3,yes" | fields - firewall ``` Above creates your example table ``` | eventstats values(network) as nws by server | eval firewall=if(nws="fw-".network OR match(network,"^fw-"), "yes", "no") | fields - nws | table server network firewall</LI-CODE><P>Depending on the subleties of your data, you may need to tweak the <STRONG>eval firewall</STRONG> statement&nbsp;&nbsp;</P> Wed, 08 May 2024 03:45:48 GMT bowesmana 2024-05-08T03:45:48Z https://community.splunk.com/t5/Splunk-Search/set-a-flag-in-based-on-field-value-in-multiple-row/m-p/686820#M234245 <P>Hello,<BR />How do I&nbsp;set a flag in based on field value in multiple row?<BR />For example:<BR />In the following table,&nbsp; network-1 is set to yes because server-1 that is on <STRONG>network-1</STRONG> is also on <STRONG>fw-network-1</STRONG> that is behind a firewall.&nbsp; &nbsp;<BR /><BR /><STRONG>Please suggest. Thank you!!</STRONG></P><TABLE width="310"><TBODY><TR><TD width="101"><STRONG>server</STRONG></TD><TD width="111"><STRONG>network</STRONG></TD><TD width="98"><STRONG>firewall</STRONG></TD></TR><TR><TD>server-1</TD><TD>network-1</TD><TD>yes</TD></TR><TR><TD>server-1</TD><TD>fw-network-1</TD><TD>yes</TD></TR><TR><TD>server-2</TD><TD>network-2</TD><TD>no</TD></TR><TR><TD>server-3</TD><TD>network-1</TD><TD>yes</TD></TR><TR><TD>server-3</TD><TD>fw-network-1</TD><TD>yes</TD></TR><TR><TD>server-4</TD><TD>network-2</TD><TD>no</TD></TR><TR><TD>server-5</TD><TD>network-3</TD><TD>yes</TD></TR><TR><TD>server-5</TD><TD>fw-network-3</TD><TD>yes</TD></TR></TBODY></TABLE> Wed, 08 May 2024 02:10:19 GMT https://community.splunk.com/t5/Splunk-Search/set-a-flag-in-based-on-field-value-in-multiple-row/m-p/686820#M234245 LearningGuy 2024-05-08T02:10:19Z https://community.splunk.com/t5/Splunk-Search/set-a-flag-in-based-on-field-value-in-multiple-row/m-p/686827#M234249 <P>There are a number of ways to do this - the example below uses&nbsp;<STRONG>makeresults</STRONG> to create your example data&nbsp;</P><P>Simple way 1 - use eventstats to collect all networks for each server and then check if the results contain fw-network-X where X is the network the server is on</P><LI-CODE lang="markup">| makeresults format=csv data="server,network,firewall server-1,network-1,yes server-1,fw-network-1,yes server-2,network-2,no server-3,network-1,yes server-3,fw-network-1,yes server-4,network-2,no server-5,network-3,yes server-5,fw-network-3,yes" | fields - firewall ``` Above creates your example table ``` | eventstats values(network) as nws by server | eval firewall=if(nws="fw-".network OR match(network,"^fw-"), "yes", "no") | fields - nws | table server network firewall</LI-CODE><P>Depending on the subleties of your data, you may need to tweak the <STRONG>eval firewall</STRONG> statement&nbsp;&nbsp;</P> Wed, 08 May 2024 03:45:48 GMT https://community.splunk.com/t5/Splunk-Search/set-a-flag-in-based-on-field-value-in-multiple-row/m-p/686827#M234249 bowesmana 2024-05-08T03:45:48Z https://community.splunk.com/t5/Splunk-Search/set-a-flag-in-based-on-field-value-in-multiple-row/m-p/686926#M234285 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/6367">@bowesmana</a>&nbsp;<BR />Thanks a lot!!&nbsp; You rock!!&nbsp;&nbsp;<BR />I did make attempt on using evenstats, but then It didn't work because of&nbsp; if condition didn't work.&nbsp; It turns out I had to use a match command.&nbsp; &nbsp;<BR />I appreciate your help.</P> Wed, 08 May 2024 20:20:42 GMT https://community.splunk.com/t5/Splunk-Search/set-a-flag-in-based-on-field-value-in-multiple-row/m-p/686926#M234285 LearningGuy 2024-05-08T20:20:42Z