- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How can I create a new_column based on new_col...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I create a new_column based on new_column(row-1 previous row) and another_column condition?
Hi,
I'm fairly new to Splunk and lately I've tried to create a new_column trying to do the following condition:
if( column_2 == 0 AND ( column_3 == 1 OR new_column[row-1] == 1), 1, 0)
Basically - the tricky part for me so far - is a condition that checks a value on another column but also checks on the same column but one row above.
On the table below the condition above would be displayed like that:
column_2 | column_3 | new_column
0 | 0 | 0
0 | 0 | 0
0 | 0 | 0
0 | 0 | 0
0 | 1 | 1
0 | 0 | 1
0 | 0 | 1
1 | 0 | 0
1 | 0 | 0
0 | 0 | 0
I already have column_2 and column_3, as mentioned above, i'm particularly struggling on new_column creation based on the condition stated.
Any advice is appreciated
Thanks,
Theo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @theocarvalho,
Get the previous row value to current row and compare , for e.g.
your search | fields column_2 , column_3|streamstats current=f last(column_3) as prev
|eval new_column=if( column_2 == 0 AND ( column_3 == 1 OR prev== 1), 1, 0)
The first row's prev value will be null as expected. You can fillnull with some value based on your requirement.
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @renjith.nair,
Thank you for your suggestion. However, I've just tried what you posted and only worked partially.
I indeed created a new_column but it referred to 'last column_3' instead of 'last new_column'.
The consequently output was:
column_2 | column_3 | new_column
0 | 0 | 0
0 | 0 | 0
0 | 0 | 0
0 | 0 | 0
0 | 1 | 1
0 | 0 | 1
0 | 0 | 0 instead of 1
1 | 0 | 0
1 | 0 | 0
0 | 0 | 0
In this output, the new_column keeps not depending on new_column[row-1] condition.
As mentioned before any advice is appreciated.
btw, thanks for the fillnul tip.
Theo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith.nair, I think you are missing window=1 in the streamstats command.
| makeresults | eval message= "Happy Splunking!!!"
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
