https://community.splunk.com/t5/Splunk-Search/Save-value-of-a-field-of-one-event-and-compare-it-with-all-other/m-p/312037#M93470 <P>Hello,</P> <P>I have a list of three events, each of them has the same ID in the field ID. One event containing a field that states PRINT=Y. <BR /> The other two events being ACTION=PRINT and ACTION=NO_PRINT. <BR /> I want to add a field that checks if the done action was correct by checking that if PRINT was Y, and the event states ACTION=PRINT its value becomes "ok".</P> <P>The table should look like this:</P> <P><STRONG>Action -- Validation</STRONG><BR /> 1. PRINT -- ok<BR /> 2. NO_PRINT -- error</P> <P>How can I do this? If I want to eval a field, it only evaluates the value of the field with PRINT=Y in it, and I can't seem to use it for the other two events. </P> Thu, 06 Apr 2017 09:07:16 GMT ckunath 2017-04-06T09:07:16Z https://community.splunk.com/t5/Splunk-Search/Save-value-of-a-field-of-one-event-and-compare-it-with-all-other/m-p/312037#M93470 <P>Hello,</P> <P>I have a list of three events, each of them has the same ID in the field ID. One event containing a field that states PRINT=Y. <BR /> The other two events being ACTION=PRINT and ACTION=NO_PRINT. <BR /> I want to add a field that checks if the done action was correct by checking that if PRINT was Y, and the event states ACTION=PRINT its value becomes "ok".</P> <P>The table should look like this:</P> <P><STRONG>Action -- Validation</STRONG><BR /> 1. PRINT -- ok<BR /> 2. NO_PRINT -- error</P> <P>How can I do this? If I want to eval a field, it only evaluates the value of the field with PRINT=Y in it, and I can't seem to use it for the other two events. </P> Thu, 06 Apr 2017 09:07:16 GMT https://community.splunk.com/t5/Splunk-Search/Save-value-of-a-field-of-one-event-and-compare-it-with-all-other/m-p/312037#M93470 ckunath 2017-04-06T09:07:16Z https://community.splunk.com/t5/Splunk-Search/Save-value-of-a-field-of-one-event-and-compare-it-with-all-other/m-p/312038#M93471 <P>Hi ckunath,<BR /> you should try something like this:</P> <PRE><CODE>your_search | transaction ID | eval check=if(PRINT="Y" AND ACTION="PRINT","ok","error") | table _time PRINT ACTION check </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Thu, 06 Apr 2017 10:08:35 GMT https://community.splunk.com/t5/Splunk-Search/Save-value-of-a-field-of-one-event-and-compare-it-with-all-other/m-p/312038#M93471 gcusello 2017-04-06T10:08:35Z https://community.splunk.com/t5/Splunk-Search/Save-value-of-a-field-of-one-event-and-compare-it-with-all-other/m-p/312039#M93472 <P>Hi giuseppe,</P> <P>thanks a lot for your quick response!<BR /> It does work, but it groups all events into one table row and I need to have the events separated..</P> <P>For the events</P> <PRE><CODE>20170102 ID=100 ACTION=PRINT 20170102 ID=100 ACTION=NO_PRINT 20170101 ID=100 PRINT=Y </CODE></PRE> <P>I need a table like this</P> <PRE><CODE>2017-01-02 -- PRINT -- ok 2017-01-02 -- NO_PRINT -- error 2017-01-02 -- -- </CODE></PRE> <P>Do you know a way to do that? I appreciate your help!</P> Thu, 06 Apr 2017 11:00:18 GMT https://community.splunk.com/t5/Splunk-Search/Save-value-of-a-field-of-one-event-and-compare-it-with-all-other/m-p/312039#M93472 ckunath 2017-04-06T11:00:18Z https://community.splunk.com/t5/Splunk-Search/Save-value-of-a-field-of-one-event-and-compare-it-with-all-other/m-p/312040#M93473 <P>Hi Hi ckunath,,<BR /> last year I did the same question, see the answer <A href="https://answers.splunk.com/answers/341972/how-do-i-separate-the-results-of-a-transaction-to.html">https://answers.splunk.com/answers/341972/how-do-i-separate-the-results-of-a-transaction-to.html</A>.<BR /> Bye.<BR /> Giuseppe</P> Thu, 06 Apr 2017 11:13:00 GMT https://community.splunk.com/t5/Splunk-Search/Save-value-of-a-field-of-one-event-and-compare-it-with-all-other/m-p/312040#M93473 gcusello 2017-04-06T11:13:00Z