Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to copy and insert row?

Kirthika
Path Finder
‎05-13-2023 03:19 AM

For the below table, whenever a comparison_result column value is equal to "not equal", it should copy the corresponding whole row value and insert before that row by changing curr_row value alone to "Turn on".

_time ID curr_row comparison_result
2015-02-16T03:24:57.182+05:30 19 Turn on equal
2015-02-16T03:24:58.869+05:30 19 1245 equal
2015-02-16T03:25:09.179+05:30 19 1245 equal
2015-02-16T03:25:12.394+05:30 19 1245 equal
2015-02-16T03:25:24.571+05:30 19 1245 equal
2015-02-16T05:30:41.956+05:30 19 1245 equal
2015-02-16T06:02:36.635+05:30 19 1245 equal
2015-02-16T06:23:23.446+05:30 20 Turn on not equal
2015-02-16T06:23:24.608+05:30 20 7656 equal
2015-02-16T06:40:46.619+05:30 20 7690 not equal
2015-02-16T06:46:59.594+05:30 20 8783 equal
Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-13-2023 03:49 AM

Try something like this.

| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2),null())
| mvexpand row
| eval curr_row=if(row==0,"Turn on",curr_row)
| fields - row

Your dummy data is a bit suspect (again!) imho, so I have assumed you only want to duplicate the row if curr_row is not already "Turn on"

Btw, shouldn't the last row also be "not equal"? (Suspect data!)

View solution in original post

Reply
Solved! Jump to solution

Kirthika
Path Finder
‎05-13-2023 04:05 AM

Thanks.  It works perfectly

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-13-2023 03:49 AM

Try something like this.

| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2),null())
| mvexpand row
| eval curr_row=if(row==0,"Turn on",curr_row)
| fields - row

Your dummy data is a bit suspect (again!) imho, so I have assumed you only want to duplicate the row if curr_row is not already "Turn on"

Btw, shouldn't the last row also be "not equal"? (Suspect data!)

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...