Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Copy a row in a table

komalg
New Member
‎12-30-2019 08:42 AM

Hi, I am trying to conditionally add records to my table with a slight modification to the data. for example
Date ID Type Duration
2019-11-22 ABC XYZ 4
2019-11-26 BCD YZX 2

So for this record I am trying to add data to my table like
Date ID Type Duration
2019-11-22 ABC XYZ 4
2019-11-23 ABC XYZ 3 -- Add new row
2019-11-24 ABC XYZ 2 -- Add new row
2019-11-25 ABC XYZ 1 -- Add new row
2019-11-26 BCD YZX 2 -- Add new row
2019-11-27 BCD YZX 1 -- Add new row

Any pointers on this?

Thanks.

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎12-30-2019 04:09 PM 
| makeresults
| eval _raw="Date,ID,Type,Duration
2019-11-22,ABC,XYZ,4
2019-11-26,BCD,YZX,2"
| multikv
| table Date,ID,Type,Duration
| rename COMMENT as "this is the sample you provide"
| rename COMMENT as "From here, the logic"
| eval Date=strptime(Date,"%F")
| eval Date_after = relative_time(Date,"+".(Duration - 1)."d")
| eval Date=mvappend(Date,Date_after)
| mvexpand Date
| rename Date as _time
| timechart span=1d values(*) as *
| rename _time as Date
| table Date,ID,Type,Duration
| filldown ID, Type
| reverse
| streamstats count as Duration by ID
| reverse
| fieldformat Date=strftime(Date,"%F")

Hi, @komalg
How about this?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-30-2019 11:44 AM

Where does this new data come from?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

mydog8it
Builder
‎12-30-2019 10:49 AM

A Splunk Table is a visualization of data returned by a search, they do not persist beyond the "viewable" use of the original search. If the table is to be refreshed with new data, a new search is used to pull fresh results for the visualization.

Perhaps you mean a lookuptable, which looks and feels like a spreadsheet and it persists beyond the presentation of the search results.

Here is the SPL for a table result if all the fields in the example are already extracted:

        index=your_index sourcetype=your_sourcetype Date=* ID=* Type=* Duration=* | table Date ID Type Duration

Here is the SPL to create or append results in a lookuptable (make sure the lookuptable name ends in .csv):

   index=your_index sourcetype=your_sourcetype Date=* ID=* Type=* Duration=* 
    | outputlookup append=true your_lookup_name.csv

If you want to view the lookuptable after it has been populated, here is the SPL:

|inputlookup your_lookup_name.csv
0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...