topic Re: How to keep the same value of a field in each row until the value of the field changes? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140892#M38989 <P>Hello somesoni2,</P> <P>Thank you for your help but it is more complicated because that can be happen that another field3 appear with the same field1 value, for example :</P> <UL> <LI>9/25/14 2:05:57.000, PM field1=abc, field2=ghi2</LI> <LI>9/25/14 2:05:56.000, PM field1=abc, field2=def2</LI> <LI>9/25/14 2:05:55.000, PM field1=abc, field2=abc2, field3=xyz3</LI> <LI>9/25/14 2:05:48.000, PM field1=abc, field2=ghi2</LI> <LI>9/25/14 2:05:47.000, PM field1=abc, field2=def2</LI> <LI>9/25/14 2:05:46.000, PM field1=abc, field2=abc2, field3=pzo3</LI> </UL> <P>And with your search, I have this :</P> <UL> <LI>9/25/14 2:05:57.000, PM field1=abc, field2=ghi2, <STRONG>field3=pzo3</STRONG></LI> <LI>9/25/14 2:05:56.000, PM field1=abc, field2=def2, <STRONG>field3=pzo3</STRONG></LI> <LI>9/25/14 2:05:55.000, PM field1=abc, field2=abc2, <STRONG>field3=pzo3</STRONG></LI> <LI>9/25/14 2:05:48.000, PM field1=abc, field2=ghi2, field3=pzo3</LI> <LI>9/25/14 2:05:47.000, PM field1=abc, field2=def2, field3=pzo3</LI> <LI>9/25/14 2:05:46.000, PM field1=abc, field2=abc2, field3=pzo3</LI> </UL> <P>And I would like to have this :</P> <UL> <LI>9/25/14 2:05:57.000, PM field1=abc, field2=ghi2, <STRONG>field3=xyz3</STRONG></LI> <LI>9/25/14 2:05:56.000, PM field1=abc, field2=def2, <STRONG>field3=xyz3</STRONG></LI> <LI>9/25/14 2:05:55.000, PM field1=abc, field2=abc2, <STRONG>field3=xyz3</STRONG></LI> <LI>9/25/14 2:05:48.000, PM field1=abc, field2=ghi2, field3=pzo3</LI> <LI>9/25/14 2:05:47.000, PM field1=abc, field2=def2, field3=pzo3</LI> <LI>9/25/14 2:05:46.000, PM field1=abc, field2=abc2, field3=pzo3</LI> </UL> <P>Any idea ?</P> <P>Thanks for your help,</P> <P>Regards,</P> Fri, 26 Sep 2014 09:16:28 GMT ludoz13 2014-09-26T09:16:28Z How to keep the same value of a field in each row until the value of the field changes? https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140889#M38986 <P>Hi all,</P> <P>I'd like to keep value on a field until the value of this field changes. Please see the following example:</P> <P>Explanation: I have:</P> <UL> <LI>9/25/14 2:05:55.000, PM field1=abc, field2=abc2, field3=xyz3</LI> <LI>9/25/14 2:05:54.000, PM field1=abc, field2=def2</LI> <LI>9/25/14 2:05:53.000, PM field1=abc, field2=ghi2</LI> <LI>9/25/14 2:05:52.000, PM field1=jkl, field2=mno2, field3=vw3</LI> <LI>9/25/14 2:05:51.000, PM field1=jkl, field2=pqr2</LI> <LI>9/25/14 2:05:50.000, PM field1=jkl, field2=stu2</LI> <LI>9/25/14 2:05:49.000, PM field1=test, field2=tst2, field3=tre3</LI> <LI>9/25/14 2:05:48.000, PM field1=test, field2=psq2</LI> <LI>9/25/14 2:05:47.000, PM field1=test, field2=aaz2</LI> </UL> <P>I would like to do</P> <UL> <LI>9/25/14 2:05:55.000, PM field1=abc, field2=abc2, field3=xyz3</LI> <LI>9/25/14 2:05:54.000, PM field1=abc, field2=def2, field3=xyz3</LI> <LI>9/25/14 2:05:53.000, PM field1=abc, field2=ghi2, field3=xyz3</LI> <LI>9/25/14 2:05:52.000, PM field1=jkl, field2=mno2, field3=vw3</LI> <LI>9/25/14 2:05:51.000, PM field1=jkl, field2=pqr2, field3=vw3</LI> <LI>9/25/14 2:05:50.000, PM field1=jkl, field2=stu2, field3=vw3</LI> <LI>9/25/14 2:05:49.000, PM field1=test, field2=tst2, field3=tre3</LI> <LI>9/25/14 2:05:48.000, PM field1=test, field2=psq2, field3=tre3</LI> <LI>9/25/14 2:05:47.000, PM field1=test, field2=aaz2, field3=tre3</LI> </UL> <P>Would anyone have any idea?</P> <P>Thanks a lot for your help,</P> <P>Regards,</P> <P>Ludovic</P> Thu, 25 Sep 2014 16:02:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140889#M38986 ludoz13 2014-09-25T16:02:30Z Re: How to keep the same value of a field in each row until the value of the field changes? https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140890#M38987 <P>If possible, I'd recommend updating the original code or system to just record that info. That said, it's not always possible, so you could go with something like:</P> <PRE><CODE>base searchy... | streamstats current=f last(field3) AS newfield | eval field3=if(isnull(field3),newfield,field3) | table _time field1 field2 field3 </CODE></PRE> <P>The streamstats command will carry forward the value; the eval basically checks to see if it already existed, and if so, retain the new value. Bit of a roundabout way to do it, there might be a better way.</P> Thu, 25 Sep 2014 17:36:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140890#M38987 srioux 2014-09-25T17:36:33Z Re: How to keep the same value of a field in each row until the value of the field changes? https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140891#M38988 <P>Try this</P> <PRE><CODE>your base search with _time field1, field2, field3 | eventstats first(field3) as field3 by field1 </CODE></PRE> Thu, 25 Sep 2014 21:36:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140891#M38988 somesoni2 2014-09-25T21:36:31Z Re: How to keep the same value of a field in each row until the value of the field changes? https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140892#M38989 <P>Hello somesoni2,</P> <P>Thank you for your help but it is more complicated because that can be happen that another field3 appear with the same field1 value, for example :</P> <UL> <LI>9/25/14 2:05:57.000, PM field1=abc, field2=ghi2</LI> <LI>9/25/14 2:05:56.000, PM field1=abc, field2=def2</LI> <LI>9/25/14 2:05:55.000, PM field1=abc, field2=abc2, field3=xyz3</LI> <LI>9/25/14 2:05:48.000, PM field1=abc, field2=ghi2</LI> <LI>9/25/14 2:05:47.000, PM field1=abc, field2=def2</LI> <LI>9/25/14 2:05:46.000, PM field1=abc, field2=abc2, field3=pzo3</LI> </UL> <P>And with your search, I have this :</P> <UL> <LI>9/25/14 2:05:57.000, PM field1=abc, field2=ghi2, <STRONG>field3=pzo3</STRONG></LI> <LI>9/25/14 2:05:56.000, PM field1=abc, field2=def2, <STRONG>field3=pzo3</STRONG></LI> <LI>9/25/14 2:05:55.000, PM field1=abc, field2=abc2, <STRONG>field3=pzo3</STRONG></LI> <LI>9/25/14 2:05:48.000, PM field1=abc, field2=ghi2, field3=pzo3</LI> <LI>9/25/14 2:05:47.000, PM field1=abc, field2=def2, field3=pzo3</LI> <LI>9/25/14 2:05:46.000, PM field1=abc, field2=abc2, field3=pzo3</LI> </UL> <P>And I would like to have this :</P> <UL> <LI>9/25/14 2:05:57.000, PM field1=abc, field2=ghi2, <STRONG>field3=xyz3</STRONG></LI> <LI>9/25/14 2:05:56.000, PM field1=abc, field2=def2, <STRONG>field3=xyz3</STRONG></LI> <LI>9/25/14 2:05:55.000, PM field1=abc, field2=abc2, <STRONG>field3=xyz3</STRONG></LI> <LI>9/25/14 2:05:48.000, PM field1=abc, field2=ghi2, field3=pzo3</LI> <LI>9/25/14 2:05:47.000, PM field1=abc, field2=def2, field3=pzo3</LI> <LI>9/25/14 2:05:46.000, PM field1=abc, field2=abc2, field3=pzo3</LI> </UL> <P>Any idea ?</P> <P>Thanks for your help,</P> <P>Regards,</P> Fri, 26 Sep 2014 09:16:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140892#M38989 ludoz13 2014-09-26T09:16:28Z Re: How to keep the same value of a field in each row until the value of the field changes? https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140893#M38990 <P>Running into the same issue. Did you find any proper solution?</P> <P>Appreciate any help as this would make my life 1,000 times easier.</P> <P>Thanks,<BR /> Tyler</P> Wed, 11 Mar 2015 23:06:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-keep-the-same-value-of-a-field-in-each-row-until-the/m-p/140893#M38990 tdiestel 2015-03-11T23:06:06Z