Archive
Highlighted

How to iterate over a field with multiple values to produce a new field?

Explorer

Hi,

I have a test field with multiple values

A
B
C
D
etc...

in my splunk query I want to iterate over that field and build a new field

A@B
B@C
C@D
etc...

Is there a way to accomplish this?
I tried some different things with eval but not able to build that field.

Thanks in advance

Tags (1)
0 Karma
Highlighted

Re: How to iterate over a field with multiple values to produce a new field?

Champion

Use streamstats. This is exactly a use case for it.

Try this assuming your special field is called "MyField" and the new field is "MyField_new"

<YOUR_BASE_SEARCH> 
| streamstats last(MyField) as prev 
| eval MyField_new = MyFields ."@". prev 
| fields - prev

View solution in original post

Highlighted

Re: How to iterate over a field with multiple values to produce a new field?

Explorer

Thank you!

0 Karma
Highlighted

Re: How to iterate over a field with multiple values to produce a new field?

Legend

Hi tpirozzi,
could you explain better your need?
Bye.
Giuseppe

0 Karma
Highlighted

Re: How to iterate over a field with multiple values to produce a new field?

Explorer

Trying to build information for a Sankey Diagram.

0 Karma
Highlighted

Re: How to iterate over a field with multiple values to produce a new field?

Esteemed Legend

This can also be done with the autoregress command as follows:

<YOUR_BASE_SEARCH> 
| autoregress MyField 
| eval MyField_new = MyFields ."@". MyFields_p1
| fields - MyFields_p1
Highlighted

Re: How to iterate over a field with multiple values to produce a new field?

Explorer

Thank you too

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.