I'm computing a field using eval statement and in the same eval I want to check what is the value for the same field in previous event
Apparently I need autoregress on the same field which I'm computing currently. (fieldA in the below example)
|eval fieldA = if(prev_fieldA=fieldB,"Y","N")
You can copy over neighbouring field values using streamstats
:
... | streamstats current=f window=1 last(fieldA) as prev_fieldA | ...
You can copy over neighbouring field values using streamstats
:
... | streamstats current=f window=1 last(fieldA) as prev_fieldA | ...
prev_fieldA
is the neighbouring value of fieldA
. Run this dummy query to see for yourself:
| stats count as fieldA | eval fieldA = "a b c d d e f" | makemv fieldA | mvexpand fieldA | streamstats current=f window=1 last(fieldA) as prev_fieldA | eval equal = if(fieldA==prev_fieldA, "yes", "no")
How can I club the above statement where I'm actually computing fieldA ?
prev_fieldA determines the current fieldA