Solved: How can I get the previous value of the field that...

pradeepkumarg · ‎08-14-2014

I'm computing a field using eval statement and in the same eval I want to check what is the value for the same field in previous event

Apparently I need autoregress on the same field which I'm computing currently. (fieldA in the below example)

|eval fieldA = if(prev_fieldA=fieldB,"Y","N")

martin_mueller · ‎08-14-2014

You can copy over neighbouring field values using streamstats:

... | streamstats current=f window=1 last(fieldA) as prev_fieldA | ...

View solution in original post

martin_mueller · ‎08-14-2014

You can copy over neighbouring field values using streamstats:

... | streamstats current=f window=1 last(fieldA) as prev_fieldA | ...

martin_mueller · ‎08-14-2014

prev_fieldA is the neighbouring value of fieldA. Run this dummy query to see for yourself:

| stats count as fieldA | eval fieldA = "a b c d d e f" | makemv fieldA | mvexpand fieldA | streamstats current=f window=1 last(fieldA) as prev_fieldA | eval equal = if(fieldA==prev_fieldA, "yes", "no")

pradeepkumarg · ‎08-14-2014

How can I club the above statement where I'm actually computing fieldA ?

prev_fieldA determines the current fieldA

How can I get the previous value of the field that I'm computing in my eval

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor