Splunk Search

how to update table cell results based on another rows sharing common field.

AKG1_old1
Builder

Hello,

In search query results some cells populate empty results for specific field. I am looking to update those empty cells based on another row which share same results for another field.

In below table, NICKNAME for some rows are empty. These should be updated same as first 3 rows as they share same NPID and Machine_Name.

alt text

NICKNAME = MX (where NPID=43417)
NICKNAME = EPAD_DUPAL_PARALLEL (where NPID=364564)

alt text

Thanks

Tags (2)
0 Karma
1 Solution

AKG1_old1
Builder
| streamstats max(NPID) as NPID_P current=false 
| streamstats max(Machine_Name) as Machine_Name_P current=false 
| streamstats max(NICKNAME) as NICKNAME_P current=false reset_before=("$NPID$!=$NPID_P$") reset_after=("$Machine_Name$!=$Machine_Name_P$") reset_on_change=true 
| eval NICKNAME = if(isnull(NICKNAME) AND NPID=NPID_P AND Machine_Name=Machine_Name_P,NICKNAME_P,NICKNAME) 

alt text

View solution in original post

0 Karma

AKG1_old1
Builder
| streamstats max(NPID) as NPID_P current=false 
| streamstats max(Machine_Name) as Machine_Name_P current=false 
| streamstats max(NICKNAME) as NICKNAME_P current=false reset_before=("$NPID$!=$NPID_P$") reset_after=("$Machine_Name$!=$Machine_Name_P$") reset_on_change=true 
| eval NICKNAME = if(isnull(NICKNAME) AND NPID=NPID_P AND Machine_Name=Machine_Name_P,NICKNAME_P,NICKNAME) 

alt text

0 Karma

to4kawa
Ultra Champion
|sort 0 NPID, NICKNAME, Machine_Name
| filldown

I think that's enough.

Hi, @agoyal Do you have a problem?

| eval NICKNAME = case(isnull(NICKNAME) AND NPID= 43417, "MX" ,isnull(NICKNAME) AND NPID=364564  ,"EPAD_DUPAL_PARALLEL" ,true(),NICKNAME)

this is terrible.

0 Karma

AKG1_old1
Builder

thanks but as I mentioned before, NPID, NICKNAME, Machine_Name are not same. there could be hundreds of different value.
And 1st solution will fill wrong values without checking the condition of matching NPID and Machine_Name

0 Karma

to4kawa
Ultra Champion

but NPID always is.
I do sort .
If NICKNAME is not all Null with any NPID, filldown is OK. beside there are many NICKNAME, Machine_Name, etc.

Anyway, why don't you create NICKNAME.csv and lookup NPID with OUTPUTNEW .

e.g. NICKNAME.csv

NICKNAME,NPID
MX,43417
EPAD_DUPAL_PARALLEL,364564

it's useful.

0 Karma

AKG1_old1
Builder

just using filldown won't work for me. NICKNAME, NPID, Machine_Name are not always having same value.

NPID and Machine name should match before updating the empty NICKNAME.

Attached another example in question.

0 Karma

to4kawa
Ultra Champion

I see, my answer is updated. please confirm.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...