Archive

Can you help us set a field value based on a field in another event?

New Member

I'm looking to set a field value in an event based on field values in another event.

Given the data:

ev=1 req = 1234 sess=875
ev=3 req = 1234
ev=4 req = 3004 sess=875
ev=4 req =3004 sess=673

One of the events does not have the sess field defined, but it has the same req number as an event which does. From this, I am looking to populate the sess field in the event, from which it is missing, and it should become:

ev=1 req = 1234 sess=875
ev=3 req = 1234 sess=875
ev=4 req = 3004 sess=875
ev=4 req =3004 sess=673

as the req match then the sess should be the same.

Any help is appreciated!

0 Karma

SplunkTrust
SplunkTrust

@jl23

You can use filldown also.

https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/SearchReference/Filldown

YOUR_SEARCH | table ev req sess | filldown sess

My Sample Search:

| makeresults | eval data="ev=1 req=1234 sess=875|ev=3 req=1234|ev=4 req=3004 sess=875|ev=4 req=3004 sess=673",data=split(data,"|") | mvexpand data | eval _raw=data | kv | table ev req sess | filldown sess

Thanks

0 Karma

SplunkTrust
SplunkTrust

@jl23
Try

"your current search to get events "
|eventstats values(sess) as _tmp by req
|eval sess=coalesce(sess,_tmp)
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!