Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a new field based on another field under certain conditions?

POR160893
Builder
‎05-03-2022 01:38 PM

Hi,

I have created a field, "from", which is a concatenation of 2 string fields, as follows:
index = .....
| eval time_epoch = strptime('SESSION_TIMESTAMP', "%Y-%m-%d %H:%M:%S")
| convert ctime(time_epoch) as hour_minute timeformat="%Y-%m-%d %H:%M"
| strcat URL_PATH ":" SEQUENCE from
| table  from

The "from" field is made up of a URL string , a : character and then a number in string format.

I need to create another field "to", so that for each Nth event where the respective "from" value ends in the number N, the corresponding "to" has  the URL for the (N+1) event, : and (N+1)th value.

Example:
from                                                  to
....:1                                                       ......:2
.....2                                                       .......:3
.....:3                                                      .......:4

........................................
.........N                                                  <BLANK>

In this way, the last value of the "from" field would have a blank "to" value.
Essentially, I need to slid the "from" values up by 1 and name this other field as "to".

I have tried Regex and different eval combinations but no success.

Can you please help?


Many thanks,
P

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-03-2022 03:16 PM

Does 

 

| autoregress from as to

 

give you what you need. That simply copies the previous event's from field to the current event's to field.

Not sure if I fully understood your need though

Simple example to demonstrate

index=_audit
| stats count by user
| eval user=user.":".count
| rename user as from
| autoregress from as to

 

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2022 02:31 PM

You should be able to use eval to get the SEQUENCE value for the to field.

index = .....
| eval time_epoch = strptime('SESSION_TIMESTAMP', "%Y-%m-%d %H:%M:%S")
| convert ctime(time_epoch) as hour_minute timeformat="%Y-%m-%d %H:%M"
| eval SEQUENCEto = tonumber(SEQUENCE) + 1
| strcat URL_PATH ":" SEQUENCE from
| strcat URL_PATH ":" SEQUENCEto to
| table  from

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

POR160893
Builder
‎05-03-2022 02:52 PM

Hi,

Your query does not give me the required output.

If URL X is associated to 1, Y associated to 2 and Z associated to 3 and each are in the "from column", the respective "to" column is Y to 2,  Z to 3, ...... and blank at the very end as the last URL in "from" to connected to no other URL.

Your query just increases the final number, without changing the URL associated with that number. So, the above example would make the "to" column simply X is associated to 2, Y associated to 3 and Z associated to 4.

This is further shown on the output I got in splunk:

POR160893_0-1651614723273.png

 



I need to maintain the relationship with the URL and the final number as I increase each value by 1 to create the "to" field and have the last value blank .


Can you help?

(I gave your last message Karma though 😀)


Thanks!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2022 05:02 PM

Could you provide a better example output?  The one in the OP left too much to the imagination and, obviously, I imagined wrong.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-03-2022 03:16 PM

Does 

 

| autoregress from as to

 

give you what you need. That simply copies the previous event's from field to the current event's to field.

Not sure if I fully understood your need though

Simple example to demonstrate

index=_audit
| stats count by user
| eval user=user.":".count
| rename user as from
| autoregress from as to

 

Reply
Solved! Jump to solution

POR160893
Builder
‎05-04-2022 01:01 AM

This was EXACTLY what I was looking for and thanks for teaching me about the autoregress function too.

Needless to say, I gave your answer much deserved Karma 😀

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-04-2022 05:45 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...