topic How to grab a different field in an event, based on other criteria in Splunk Search

How to grab a different field in an event, based on other criteria

DATT — Tue, 03 Dec 2024 02:28:36 GMT

I have a table that looks like this

Day	Percent
2024-11-01	100
2024-11-02	99.6
2024-11-03	94.2
...	...
2024-12-01	22.1
2024-12-02	19.0

From this table I am calculating three fields: REMEDIATION_50, _80, and _100 using the following

|eval REMEDIATION_50 = if(PERCENTAGE <= 50, "x", "")

From this eval statement, I am going to have multiple rows where the _50, and _80 rows are marked, and some where both fields are marked. I'm interested in isolating the DAY of the first time each of these milestones are hit. I've yet to craft the right combination of stats, where, and evals that gets me what I want.

In the end, I'd like to get to this of sorts

Start	50%	80%	100%
2024-11-01	2024-11-23	2024-12-02	-

Any help would be appreciated, thanks!

Re: How to grab a different field in an event, based on other criteria

bowesmana — Tue, 03 Dec 2024 06:41:37 GMT

Is this what you're after

| makeresults format=csv data="Day,Percent 2024-11-01,100 2024-11-02,99.6 2024-11-03,94.2 2024-12-01,22.1 2024-12-02,19.0" | eval _time=strptime(Day, "%F") | foreach 50 80 100 [ eval REMEDIATION_<<FIELD>> = if(Percent <= <<FIELD>>, 1,null())] | stats earliest_time(_time) as Start earliest_time(REMEDIATION_*) as r_* | foreach r_* [ eval <<MATCHSTR>>%=<<FIELD>> | fields - <<FIELD>> ] | foreach * [ eval "<<FIELD>>"=strftime('<<FIELD>>', "%F") ]

Re: How to grab a different field in an event, based on other criteria

DATT — Tue, 03 Dec 2024 17:55:45 GMT

This gets me pretty close to what I need. I modified it slightly to get to the data I need:

| makeresults format=csv data="Day,Percent 2024-11-01,100 2024-11-02,99.6 2024-11-03,94.2 2024-11-04, 79.9 2024-11-30, 49.9 2024-12-01,22.1 2024-12-02,19.0" | eval _time=strptime(Day, "%F") | foreach 50 80 100 [ eval REMAINING = 100 - <<FIELD>> | eval REMEDIATION_<<FIELD>> = if(Percent <= REMAINING, 1, null())] | stats earliest_time(_time) as Start earliest_time(REMEDIATION_*) as r_*

I'll need to figure out a way to get the 100% field to show up after the stats command but I know I can do that in a brute force manner if necessary.

I haven't seen foreach before so thank you for such a concise, relevant example.

Re: How to grab a different field in an event, based on other criteria

bowesmana — Tue, 03 Dec 2024 23:39:30 GMT

foreach is immensely powerful and leads you to a place where in your SPL you can use good field naming conventions to create concise, if a little more obtuse, logic. Here it's using numbers, but you typically use it with fields and then wildcards then a good naming strategy become important as it allows you to handle unknown field names.