Hi everyone,
Can I read the value of a field from each previous result using a search? Something similar to:
| streamstats current=f last(status) as lastStatus by _time
| eval status = if(isnull(lastStatus), 0, lastStatus+1)
| table status, lastStatus
I want to get the result:
status | lastStatus |
1 | 0 |
2 | 1 |
3 | 2 |
Is it possible?
Thanks
If you run this command after table command it will pick the status field from table output. There is no difference.
Please describe your goal better, maybe sample data, sample output, sample SPL ...
The main point is in next:
For example, we have an index where are the next sample of the data:
time | number |
18:01 | 0 |
18:02 | 1 |
18:03 | 1 |
18:04 | 0 |
18:05 | 1 |
And I want to create a search that will do the next steps: 1. If 'number' is '1' then to new field add +1
| eval count = 0
| streamstats current=f last(count) as lastCount by _time
| eval count = if(isnull(lastCount), 0, lastCount+1)
| table time, number, count
// but this search doesnt work
And the result in the table should be
time | number | count |
18:01 | 0 | 0 |
18:02 | 1 | 1 |
18:03 | 1 | 2 |
18:04 | 0 | 2 |
18:05 | 1 | 3 |
Hi @rendie,
You can use autoregress command;
| autoregress status as lastStatus p=1
| table status lastStatus
This command works similar to | streamstats. They get the last value from an event in an index, but not from the result in a table.