https://community.splunk.com/t5/Splunk-Search/field-fillnull-with-values-from-correlated-events/m-p/271784#M81813 <P>Without much information, I'm assuming you want to populate field JsessionST with JsessionST value of different row with same TicketST field value, and each JsessionST value is associated with only one TicketST field value. Please provide more details if these assumptions are wrong. If not, give this a try </P> <PRE><CODE>index=_* OR index=* sourcetype=nginx | table _time Method TicketST JsessionST | eventstats values(JsessionST) as JsessionST by TicketST </CODE></PRE> <P>Also, IMO, you don't need to include index=_* in your search as there should be no data in internal indexes for sourcetype nginx. Check that.</P> Tue, 25 Oct 2016 16:26:26 GMT somesoni2 2016-10-25T16:26:26Z https://community.splunk.com/t5/Splunk-Search/field-fillnull-with-values-from-correlated-events/m-p/271782#M81811 <P><span class="lia-inline-image-display-wrapper" image-alt="Hi.&lt;br&gt;There are number of events that contain dynamic values of TicketST and JsessionST fields.&lt;br&gt;But there&amp;#39;s always one event that contains unique combination of TicketST-JsessionST pair values.&lt;br&gt;Is it possible to map events based on TicketST par"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2062i7F1042766E268A39/image-size/large?v=v2&amp;px=999" role="button" title="Hi.&lt;br&gt;There are number of events that contain dynamic values of TicketST and JsessionST fields.&lt;br&gt;But there&amp;#39;s always one event that contains unique combination of TicketST-JsessionST pair values.&lt;br&gt;Is it possible to map events based on TicketST par" alt="Hi.&lt;br&gt;There are number of events that contain dynamic values of TicketST and JsessionST fields.&lt;br&gt;But there&amp;#39;s always one event that contains unique combination of TicketST-JsessionST pair values.&lt;br&gt;Is it possible to map events based on TicketST par" /></span></P> Tue, 25 Oct 2016 14:01:52 GMT https://community.splunk.com/t5/Splunk-Search/field-fillnull-with-values-from-correlated-events/m-p/271782#M81811 fedyshynyuriy 2016-10-25T14:01:52Z https://community.splunk.com/t5/Splunk-Search/field-fillnull-with-values-from-correlated-events/m-p/271783#M81812 <P>What is your question? We need more than just a screen shot to know what your problem is.</P> Tue, 25 Oct 2016 14:55:01 GMT https://community.splunk.com/t5/Splunk-Search/field-fillnull-with-values-from-correlated-events/m-p/271783#M81812 richgalloway 2016-10-25T14:55:01Z https://community.splunk.com/t5/Splunk-Search/field-fillnull-with-values-from-correlated-events/m-p/271784#M81813 <P>Without much information, I'm assuming you want to populate field JsessionST with JsessionST value of different row with same TicketST field value, and each JsessionST value is associated with only one TicketST field value. Please provide more details if these assumptions are wrong. If not, give this a try </P> <PRE><CODE>index=_* OR index=* sourcetype=nginx | table _time Method TicketST JsessionST | eventstats values(JsessionST) as JsessionST by TicketST </CODE></PRE> <P>Also, IMO, you don't need to include index=_* in your search as there should be no data in internal indexes for sourcetype nginx. Check that.</P> Tue, 25 Oct 2016 16:26:26 GMT https://community.splunk.com/t5/Splunk-Search/field-fillnull-with-values-from-correlated-events/m-p/271784#M81813 somesoni2 2016-10-25T16:26:26Z https://community.splunk.com/t5/Splunk-Search/field-fillnull-with-values-from-correlated-events/m-p/271785#M81814 <P>Thanks a lot! This is exactly what was required.</P> Wed, 26 Oct 2016 06:52:05 GMT https://community.splunk.com/t5/Splunk-Search/field-fillnull-with-values-from-correlated-events/m-p/271785#M81814 fedyshynyuriy 2016-10-26T06:52:05Z