Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Evaluate _time against current value and next value in a foreach and mvfilter ?

dhtran
Loves-to-Learn Lots
‎04-21-2020 12:54 PM

Hello,

I need to evaluate my _time against a list of times output from a lookup table and produce a calculated field "nextPeriodTime" which is the next time after _time.

I came quite close to the final desired result by using a combination of eval, forearch and mvfilter.

My search query

index="nxs_mq" 
    | table interstep _time  
    | lookup params_vacations.csv interstep OUTPUT 0900,1000,1100,1200,1300,1400,1500,1600,1700
    | eval nextPeriodTime="" 
    | eval eventTime=strftime(_time,"%H%M") 
    | eval eventDate=strftime(_time,"%Y-%m-%d")
    | foreach *00 [| eval nextPeriodTime = if(isnotnull(mvfilter(match('<<FIELD>>',"Y"))),'<<MATCHSTR>>',"N/A")]

Results
alt text

The problem is, for example on the first record, I need the value of nextPeriodTime to be "2020-04-21 12:00:00" instead of "17" (plus, I didn't quite understand why "17" ?) because
_time is after 11:00 and before 12:00, so the next period time from _time will be 12:00.

Is it possible / does it make sense to enrich the mvfilter() part to achieve something like 

mvfilter(match('<<FIELD>>',"Y") AND (_time > previous-'<<MATCHSTR>>' AND _time < next-'<<MATCHSTR>>') )

Thanks in advance for your help

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-21-2020 02:01 PM 
 index="nxs_mq" 
| table interstep _time  
| lookup params_vacations.csv interstep OUTPUT 0900,1000,1100,1200,1300,1400,1500,1600,1700
| foreach *00 [eval tmp=mvappend(tmp,'<<FIELD>>')
| eval check=if(mvcount(mvdedup(tmp))=1 AND match(tmp,"Y"),1,0)]
| eval nextPeriodTime = if(check=1, strftime(relative_time(_time,"@h+1h"), "%F %H%M"), "N/A")
| eval eventTime=strftime(_time,"%H%M") 
| eval eventDate=strftime(_time,"%Y-%m-%d")
| fields - tmp check

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach

  • matchstr
    • Syntax: matchstr= <string>
    • Description: Replaces <<MATCHSTR>> with part of the field name that matches wildcard(s) in the specifier.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-21-2020 02:01 PM 
 index="nxs_mq" 
| table interstep _time  
| lookup params_vacations.csv interstep OUTPUT 0900,1000,1100,1200,1300,1400,1500,1600,1700
| foreach *00 [eval tmp=mvappend(tmp,'<<FIELD>>')
| eval check=if(mvcount(mvdedup(tmp))=1 AND match(tmp,"Y"),1,0)]
| eval nextPeriodTime = if(check=1, strftime(relative_time(_time,"@h+1h"), "%F %H%M"), "N/A")
| eval eventTime=strftime(_time,"%H%M") 
| eval eventDate=strftime(_time,"%Y-%m-%d")
| fields - tmp check

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach

  • matchstr
    • Syntax: matchstr= <string>
    • Description: Replaces <<MATCHSTR>> with part of the field name that matches wildcard(s) in the specifier.
0 Karma
Reply
Solved! Jump to solution

dhtran
Loves-to-Learn Lots
‎04-22-2020 12:58 AM

thank you, although I need to fix some minor details in my lookup file but this works perfectly

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...