Solved: How to copy and insert row?

Kirthika · ‎05-13-2023

For the below table, whenever a comparison_result column value is equal to "not equal", it should copy the corresponding whole row value and insert before that row by changing curr_row value alone to "Turn on".

_time	ID	curr_row	comparison_result
2015-02-16T03:24:57.182+05:30	19	Turn on	equal
2015-02-16T03:24:58.869+05:30	19	1245	equal
2015-02-16T03:25:09.179+05:30	19	1245	equal
2015-02-16T03:25:12.394+05:30	19	1245	equal
2015-02-16T03:25:24.571+05:30	19	1245	equal
2015-02-16T05:30:41.956+05:30	19	1245	equal
2015-02-16T06:02:36.635+05:30	19	1245	equal
2015-02-16T06:23:23.446+05:30	20	Turn on	not equal
2015-02-16T06:23:24.608+05:30	20	7656	equal
2015-02-16T06:40:46.619+05:30	20	7690	not equal
2015-02-16T06:46:59.594+05:30	20	8783	equal

ITWhisperer · ‎05-13-2023

Try something like this.

| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2),null())
| mvexpand row
| eval curr_row=if(row==0,"Turn on",curr_row)
| fields - row

Your dummy data is a bit suspect (again!) imho, so I have assumed you only want to duplicate the row if curr_row is not already "Turn on"

Btw, shouldn't the last row also be "not equal"? (Suspect data!)

View solution in original post

Kirthika · ‎05-13-2023

Thanks. It works perfectly

ITWhisperer · ‎05-13-2023

Try something like this.

| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2),null())
| mvexpand row
| eval curr_row=if(row==0,"Turn on",curr_row)
| fields - row

Your dummy data is a bit suspect (again!) imho, so I have assumed you only want to duplicate the row if curr_row is not already "Turn on"

Btw, shouldn't the last row also be "not equal"? (Suspect data!)

How to copy and insert row?

Analytics Workspace

development

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases