Solved: How to copy and insert row?

Kirthika · ‎05-13-2023

For the below table, whenever a comparison_result column value is equal to "not equal", it should copy the corresponding whole row value and insert before that row by changing curr_row value alone to "Turn on".

_time	ID	curr_row	comparison_result
2015-02-16T03:24:57.182+05:30	19	Turn on	equal
2015-02-16T03:24:58.869+05:30	19	1245	equal
2015-02-16T03:25:09.179+05:30	19	1245	equal
2015-02-16T03:25:12.394+05:30	19	1245	equal
2015-02-16T03:25:24.571+05:30	19	1245	equal
2015-02-16T05:30:41.956+05:30	19	1245	equal
2015-02-16T06:02:36.635+05:30	19	1245	equal
2015-02-16T06:23:23.446+05:30	20	Turn on	not equal
2015-02-16T06:23:24.608+05:30	20	7656	equal
2015-02-16T06:40:46.619+05:30	20	7690	not equal
2015-02-16T06:46:59.594+05:30	20	8783	equal

ITWhisperer · ‎05-13-2023

Try something like this.

| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2),null())
| mvexpand row
| eval curr_row=if(row==0,"Turn on",curr_row)
| fields - row

Your dummy data is a bit suspect (again!) imho, so I have assumed you only want to duplicate the row if curr_row is not already "Turn on"

Btw, shouldn't the last row also be "not equal"? (Suspect data!)

View solution in original post

Kirthika · ‎05-13-2023

Thanks. It works perfectly

ITWhisperer · ‎05-13-2023

Try something like this.

| eval row=if(comparison_result=="not equal" AND curr_row!="Turn on",mvrange(0,2),null())
| mvexpand row
| eval curr_row=if(row==0,"Turn on",curr_row)
| fields - row

Your dummy data is a bit suspect (again!) imho, so I have assumed you only want to duplicate the row if curr_row is not already "Turn on"

Btw, shouldn't the last row also be "not equal"? (Suspect data!)

How to copy and insert row?

Analytics Workspace

development

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake

Splunk With AppDynamics - Meet the New IT (And Engineering) Couple