https://community.splunk.com/t5/Splunk-Search/extracted-field-propagation-across-related-events/m-p/156441#M44020 <P>Hey all,<BR /> I have a event log that i have to generate reports off of for the BI team where i work. the problem i keep running into is that the different event types log different set of information all tied to a unique event_id, but i need to have one field of a specific event type tied to all the other events with the same id.</P> <P>example:<BR /> time event_id Node user status event_type<BR /> 18534564.56 05178 HIL-DEV01 not_reporting alert<BR /> 18640234.9 05179 ROV-HOST01 disk_space_low alert<BR /> 19538754.13 05178 Hal9001 closed</P> <P>in this example i want to assign node HIL-DEV01 across all events with the ID of 05178. I have tried to do this with transactions, but i have found that i lose unique time values for events inside the transaction.</P> <P>is it possible to do this with eval? or does anyone have an idea of what to do? if you need more info just let me know.</P> Mon, 28 Sep 2020 17:10:27 GMT twistedsixty4 2020-09-28T17:10:27Z https://community.splunk.com/t5/Splunk-Search/extracted-field-propagation-across-related-events/m-p/156441#M44020 <P>Hey all,<BR /> I have a event log that i have to generate reports off of for the BI team where i work. the problem i keep running into is that the different event types log different set of information all tied to a unique event_id, but i need to have one field of a specific event type tied to all the other events with the same id.</P> <P>example:<BR /> time event_id Node user status event_type<BR /> 18534564.56 05178 HIL-DEV01 not_reporting alert<BR /> 18640234.9 05179 ROV-HOST01 disk_space_low alert<BR /> 19538754.13 05178 Hal9001 closed</P> <P>in this example i want to assign node HIL-DEV01 across all events with the ID of 05178. I have tried to do this with transactions, but i have found that i lose unique time values for events inside the transaction.</P> <P>is it possible to do this with eval? or does anyone have an idea of what to do? if you need more info just let me know.</P> Mon, 28 Sep 2020 17:10:27 GMT https://community.splunk.com/t5/Splunk-Search/extracted-field-propagation-across-related-events/m-p/156441#M44020 twistedsixty4 2020-09-28T17:10:27Z https://community.splunk.com/t5/Splunk-Search/extracted-field-propagation-across-related-events/m-p/156442#M44021 <P>Try this and see if this is hat you need</P> <P>Some Search Terms | stats values(time) as Timers first(Node) as Node values(status) as Statuses values(event_type) as Events by event_id</P> Mon, 28 Sep 2020 17:10:30 GMT https://community.splunk.com/t5/Splunk-Search/extracted-field-propagation-across-related-events/m-p/156442#M44021 strive 2020-09-28T17:10:30Z https://community.splunk.com/t5/Splunk-Search/extracted-field-propagation-across-related-events/m-p/156443#M44022 <P>Give this a try</P> <PRE><CODE>your base search | eventstats first(Node) as Node by event_id </CODE></PRE> Thu, 24 Jul 2014 18:57:38 GMT https://community.splunk.com/t5/Splunk-Search/extracted-field-propagation-across-related-events/m-p/156443#M44022 somesoni2 2014-07-24T18:57:38Z https://community.splunk.com/t5/Splunk-Search/extracted-field-propagation-across-related-events/m-p/156444#M44023 <P>you are a godsend sir, this worked great!</P> Thu, 24 Jul 2014 20:52:00 GMT https://community.splunk.com/t5/Splunk-Search/extracted-field-propagation-across-related-events/m-p/156444#M44023 twistedsixty4 2014-07-24T20:52:00Z