Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I add a field to an extra column, depending on a condition?

j_r
Path Finder
‎12-12-2018 09:23 AM

Hi,

My log files look like this:

       ID Job_Type Target
Event1    1  A     X
Event2    1  B     Y
Event3    2  A     X1
Event4    2  B     Y1

X/X1= Startpoint
Y/Y1 = Endpoint

Startpoint is defined by Job_Type. So if Job_Type = A, then Targe = Startpoint

my search...

|basesearch
|stats values(Target) by ID

...gives me the following results:

    ID  values(Target)
    ID1 Startpoint
         Endpoint
    ID2 Startpoint
         Endpoint

How can I add the "Target" field to an extra column, depending on whether it is Job_Type=A or Job_Type=B?

Like this: ID, Startpoint, Endpoint

I tried if-condition, but it didn't work.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

whrg
Motivator
‎12-12-2018 10:30 AM

Hello @j_r,

It should be possible by using stats with eval expressions.

Using stats in combination with eval looks like this:

index=_* | stats count(eval(sourcetype=="splunkd")) as count_splunkd

So in your case, try:

basesearch
| stats first(eval(if(Job_Type=="A",Target,NULL))) as Startpoint first(eval(if(Job_Type=="B",Target,NULL))) as Endpoint by ID

You could use values() instead of first(), but there should only be one value.

View solution in original post

Reply
Solved! Jump to solution
Solution

whrg
Motivator
‎12-12-2018 10:30 AM

Hello @j_r,

It should be possible by using stats with eval expressions.

Using stats in combination with eval looks like this:

index=_* | stats count(eval(sourcetype=="splunkd")) as count_splunkd

So in your case, try:

basesearch
| stats first(eval(if(Job_Type=="A",Target,NULL))) as Startpoint first(eval(if(Job_Type=="B",Target,NULL))) as Endpoint by ID

You could use values() instead of first(), but there should only be one value.

Reply
Solved! Jump to solution

j_r
Path Finder
‎12-12-2018 11:02 AM

If i want to add another field to be displayed in the statistics, how do i do this?
with:

| table Startpoint, Endpoint, ID, Another_Field

does not work. Field stays empty

0 Karma
Reply
Solved! Jump to solution

whrg
Motivator
‎12-12-2018 11:17 AM

It depends on what you want to do.
However, the table command does not create any new fields.

Reply
Solved! Jump to solution

j_r
Path Finder
‎12-12-2018 11:27 AM

It worked by adding values(another_field) 🙂 Thanks!

0 Karma
Reply
Solved! Jump to solution

j_r
Path Finder
‎12-12-2018 10:46 AM

Thanks for this, but the columns for Target stayed empty .
I changed the search to this and its working now:

basesearch
| stats first(eval(if(like(Job_Type, "A%"),Target,NULL))) as Startpoint first(eval(if(like(Job_Type, "B%"),Target,NULL))) as Endpoint by ID

Reply
Solved! Jump to solution

whrg
Motivator
‎12-12-2018 10:02 AM

@j_r Can you post a table of what your desired results should look like?

Reply
Solved! Jump to solution

j_r
Path Finder
‎12-12-2018 10:13 AM

The result should looks like this (from example above):

ID Startpoint Endpoint
1 X Y
2 X1 Y1

At the moment the results for Startpoint and endpoint are in the same column. I would like to have them in separate columns

0 Karma
Reply
Get Updates on the Splunk Community!

Simplifying the Analyst Experience with Finding-based Detections

    Splunk invites you to an engaging Tech Talk focused on streamlining security operations with ...

[Puzzles] Solve, Learn, Repeat: Word Search

This challenge was first posted on Slack #puzzles channelThis puzzle is based on a letter grid containing ...

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4

Advent of CodeIn order to participate in these challenges, you will need to register with the Advent of Code ...