Fecth the field based on other field condition

myusufe71 · ‎10-21-2024

Hi,

I need help to fetch field based on other field condition.

I have lookup table as below,

NAME STATE

abc-a-0 host1 master

abc-a-1 host2 local

abc-a-2 host3 local

abc-b-0 host4 local

abc-b-1 host4 local

abc-b-2 host4 local

I want to retrieve abc-a-* NAME based on STATE which it is as master. The master STATE is dynamic, it will be abc-b-* group also sometimes.

Example:

NAME HOST STATE

abc-a-0 host1 local

abc-a-1 host2 local

abc-a-2 host3 local

abc-b-0 host4 local

abc-b-1 host5 master

abc-b-2 host6 local

The problem is,

1. Retrieve the current master STATE if it is abc-a-* or abc-b* NAME
2. Then fetch 3 NAMEs based on condition if it is abc-a-* or abc-b-*

ITWhisperer · ‎10-21-2024

Assuming your names follow the apparent pattern you have shown, you could do something like this

| eval name_prefix=mvjoin(mvindex(split(NAME,"-"),0,1),"-")
| eventstats values(eval(if(STATE="master",STATE,null()))) as master by name_prefix
| where master="master"

Fecth the field based on other field condition

subsearch

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Fecth the field based on other field condition

subsearch

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25