Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Data of a field in next row in another field of current row

sunilpanda023
Path Finder
‎04-25-2017 08:35 PM

![alt text][1]

The siuation is - I have sprint and their start date , I want the next sprint start date in same row and for last sprint current date.

Current Result:-
sprint sprint_startDate
Sprint-0 06-March-2017

Sprint-1 29-March-2017

Sprint-2 17-April-2017

Required Result:-
sprint sprint_startDate ** nextsprint_startDate**
Sprint-0 06-March-2017 29-March-2017
Sprint-1 29-March-2017 17-April-2017
Sprint-2 17-April-2017 now()

Preview file
27 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-26-2017 07:19 AM 
| reverse 
| autoregress sprint_startDate as nextsprint_startDate p=1
| reverse
| fillnull value=now() nextsprint_startDate

Updated to fill in the current date for "nextsprint_startDate" for the last sprint. Probably not the right specification, in my experience, but it was the request... 😉

View solution in original post

Reply
Solved! Jump to solution

sunilpanda023
Path Finder
‎04-26-2017 06:03 PM

Thank you DalJeanis

I tried with this too and it worked and it has the step function with window to change the step in any case.

| sort - sprintstartDate
| streamstats last(sprintstartDate) as next_sprintstartDate window=1 current=f
| sort  sprintstartDate

| eval next_sprintstartDate=if(isnull(next_sprintstartDate),now()),next_sprintstartDate)
0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-26-2017 07:19 AM 
| reverse 
| autoregress sprint_startDate as nextsprint_startDate p=1
| reverse
| fillnull value=now() nextsprint_startDate

Updated to fill in the current date for "nextsprint_startDate" for the last sprint. Probably not the right specification, in my experience, but it was the request... 😉

Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...