Solved: How to iterate over a field with multiple values t...

tpirozzi · ‎03-27-2017

Hi,

I have a test field with multiple values

A
B
C
D
etc...

in my splunk query I want to iterate over that field and build a new field

A@B
B@C
C@D
etc...

Is there a way to accomplish this?
I tried some different things with eval but not able to build that field.

Thanks in advance

rjthibod · ‎03-27-2017

Use streamstats. This is exactly a use case for it.

Try this assuming your special field is called "MyField" and the new field is "MyField_new"

<YOUR_BASE_SEARCH> 
| streamstats last(MyField) as prev 
| eval MyField_new = MyFields ."@". prev 
| fields - prev

woodcock · ‎03-27-2017

This can also be done with the autoregress command as follows:

<YOUR_BASE_SEARCH> 
| autoregress MyField 
| eval MyField_new = MyFields ."@". MyFields_p1
| fields - MyFields_p1

tpirozzi · ‎03-28-2017

Thank you too

gcusello · ‎03-27-2017

Hi tpirozzi,
could you explain better your need?
Bye.
Giuseppe

tpirozzi · ‎03-27-2017

Trying to build information for a Sankey Diagram.

rjthibod · ‎03-27-2017

Use streamstats. This is exactly a use case for it.

Try this assuming your special field is called "MyField" and the new field is "MyField_new"

<YOUR_BASE_SEARCH> 
| streamstats last(MyField) as prev 
| eval MyField_new = MyFields ."@". prev 
| fields - prev

tpirozzi · ‎03-27-2017

Thank you!

How to iterate over a field with multiple values to produce a new field?