Re: Can you help us set a field value based on a f...

jl23 · ‎01-23-2019

I'm looking to set a field value in an event based on field values in another event.

Given the data:

ev=1 req = 1234 sess=875
ev=3 req = 1234
ev=4 req = 3004 sess=875
ev=4 req =3004 sess=673

One of the events does not have the sess field defined, but it has the same req number as an event which does. From this, I am looking to populate the sess field in the event, from which it is missing, and it should become:

ev=1 req = 1234 sess=875
ev=3 req = 1234 sess=875
ev=4 req = 3004 sess=875
ev=4 req =3004 sess=673

as the req match then the sess should be the same.

Any help is appreciated!

kamlesh_vaghela · ‎01-23-2019

@jl23

You can use filldown also.

https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/SearchReference/Filldown

YOUR_SEARCH | table ev req sess | filldown sess

My Sample Search:

| makeresults | eval data="ev=1 req=1234 sess=875|ev=3 req=1234|ev=4 req=3004 sess=875|ev=4 req=3004 sess=673",data=split(data,"|") | mvexpand data | eval _raw=data | kv | table ev req sess | filldown sess

Thanks

renjith_nair · ‎01-23-2019

@jl23
Try

"your current search to get events "
|eventstats values(sess) as _tmp by req
|eval sess=coalesce(sess,_tmp)

---
What goes around comes around. If it helps, hit it with Karma 🙂

Can you help us set a field value based on a field in another event?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Can you help us set a field value based on a field in another event?

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability