Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a new field based on another field under certain conditions?

POR160893
Builder
‎05-03-2022 01:38 PM

Hi,

I have created a field, "from", which is a concatenation of 2 string fields, as follows:
index = .....
| eval time_epoch = strptime('SESSION_TIMESTAMP', "%Y-%m-%d %H:%M:%S")
| convert ctime(time_epoch) as hour_minute timeformat="%Y-%m-%d %H:%M"
| strcat URL_PATH ":" SEQUENCE from
| table  from

The "from" field is made up of a URL string , a : character and then a number in string format.

I need to create another field "to", so that for each Nth event where the respective "from" value ends in the number N, the corresponding "to" has  the URL for the (N+1) event, : and (N+1)th value.

Example:
from                                                  to
....:1                                                       ......:2
.....2                                                       .......:3
.....:3                                                      .......:4

........................................
.........N                                                  <BLANK>

In this way, the last value of the "from" field would have a blank "to" value.
Essentially, I need to slid the "from" values up by 1 and name this other field as "to".

I have tried Regex and different eval combinations but no success.

Can you please help?


Many thanks,
P

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-03-2022 03:16 PM

Does 

 

| autoregress from as to

 

give you what you need. That simply copies the previous event's from field to the current event's to field.

Not sure if I fully understood your need though

Simple example to demonstrate

index=_audit
| stats count by user
| eval user=user.":".count
| rename user as from
| autoregress from as to

 

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2022 02:31 PM

You should be able to use eval to get the SEQUENCE value for the to field.

index = .....
| eval time_epoch = strptime('SESSION_TIMESTAMP', "%Y-%m-%d %H:%M:%S")
| convert ctime(time_epoch) as hour_minute timeformat="%Y-%m-%d %H:%M"
| eval SEQUENCEto = tonumber(SEQUENCE) + 1
| strcat URL_PATH ":" SEQUENCE from
| strcat URL_PATH ":" SEQUENCEto to
| table  from

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

POR160893
Builder
‎05-03-2022 02:52 PM

Hi,

Your query does not give me the required output.

If URL X is associated to 1, Y associated to 2 and Z associated to 3 and each are in the "from column", the respective "to" column is Y to 2,  Z to 3, ...... and blank at the very end as the last URL in "from" to connected to no other URL.

Your query just increases the final number, without changing the URL associated with that number. So, the above example would make the "to" column simply X is associated to 2, Y associated to 3 and Z associated to 4.

This is further shown on the output I got in splunk:

POR160893_0-1651614723273.png

 



I need to maintain the relationship with the URL and the final number as I increase each value by 1 to create the "to" field and have the last value blank .


Can you help?

(I gave your last message Karma though 😀)


Thanks!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-03-2022 05:02 PM

Could you provide a better example output?  The one in the OP left too much to the imagination and, obviously, I imagined wrong.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎05-03-2022 03:16 PM

Does 

 

| autoregress from as to

 

give you what you need. That simply copies the previous event's from field to the current event's to field.

Not sure if I fully understood your need though

Simple example to demonstrate

index=_audit
| stats count by user
| eval user=user.":".count
| rename user as from
| autoregress from as to

 

Reply
Solved! Jump to solution

POR160893
Builder
‎05-04-2022 01:01 AM

This was EXACTLY what I was looking for and thanks for teaching me about the autoregress function too.

Needless to say, I gave your answer much deserved Karma 😀

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-04-2022 05:45 AM

If your problem is resolved, then please click the "Accept as Solution" button to help future readers.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...