Archive

apply field value to remaining event till next field found

Contributor

I have below sample events-

7/5/2019 04:24:00 name=test
7/5/2019 04:24:01 dcsdc 
7/5/2019 04:24:02 dsac,z="121"
7/5/2019 04:24:03 asdc
7/5/2019 04:24:04 name=sample
7/5/2019 04:24:05 uujy
7/5/2019 04:24:06 yuujj,z="156"
7/5/2019 04:24:07 ujyku

So here I want to apply name=test field value to below event till new name field will found then similarly I want to apply name=sample to below event till next name field will find.What is the best way to do this currently I am using transaction command.
so that I can get value of z for which what is name by grouping ...is there any other way?
I want to apply this per source field

Tags (1)
0 Karma
1 Solution

Esteemed Legend

Then do this:

... | streamstats last(name) AS name BY source

View solution in original post

Esteemed Legend

Then do this:

... | streamstats last(name) AS name BY source

View solution in original post

Contributor

Thanks @woodcock
It will work if I use |reverse before streamstats command since i see latest event first but I want to see it in reverse order since all data inserted in log file in that manner.
Is there any other way by which I can avoid |reverse command since it has performance impact. below query currently I am running.

...|reverse| streamstats last(name) AS name BY source
0 Karma

Esteemed Legend

Nope, that is the way to do it. Please come back and click Accept to close the question.

0 Karma

Esteemed Legend
0 Karma

Contributor

Thanks @woodcock but I want this filldown to work per source
I tried | filldown name by source but it won't work.

0 Karma

Esteemed Legend

See my new answer then.

0 Karma

New Member

Where do you want to apply name=sample to? By below event you mean what event?

0 Karma

Contributor

Below result I was expecting

 7/5/2019 04:24:00 name=test
 7/5/2019 04:24:00 dcsdc ,name=test
 7/5/2019 04:24:00 dsac,z="121",name=test
 7/5/2019 04:24:00 asdc,name=test
 7/5/2019 04:24:00 name=sample
 7/5/2019 04:24:00 uujy,name=sample
 7/5/2019 04:24:00 yuujj,z="156",name=sample
 7/5/2019 04:24:00 ujyku,name=sample
0 Karma

New Member

You can use like this, considering the value of name is extracted in name field
index=blah
|eventstats latest(name) as latestname| eval _raw=_raw + if( name= latestname ,"", ",name="+ latestname)

0 Karma

SplunkTrust
SplunkTrust

@ips_mander how about the filldown command i.e. | filldown name

Following is a run anywhere search based on sample data provided, which generates data using commands till KV

| makeresults
| eval rawData="7/5/2019 04:24:00 name=\"test\";7/5/2019 04:24:00 dcsdc;7/5/2019 04:24:00 dsac,z=\"121\";7/5/2019 04:24:00 asdc;7/5/2019 04:24:00 name=\"sample\";7/5/2019 04:24:00 uujy;7/5/2019 04:24:00 yuujj,z=\"156\";7/5/2019 04:24:00 ujyku"
| makemv rawData delim=";"
| mvexpand rawData
| rename rawData as _raw
| KV
| filldown name
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Contributor

Thanks @niketnilay but I want this filldown to work per source
I tried | filldown name by source but it won't work.

0 Karma

SplunkTrust
SplunkTrust

In the sample event provided in your question source information is not present. So can you add relevant information so that community members can assist you better?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma