Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I create a field consisting of the previous value for each row of another field?

alcchang
Engager
‎07-27-2018 11:49 AM

I currently have a list of HTTP events that I have formatted like so:

alt text

Observe that at the bottom of the image, I have a page with a "NULL" referrer, yet it is the 3rd event in the session (see the "count" field.)

What I want to do is drop in the "request" value of the previous row into all "NULL" values IFF the "count" value of the NULL referrer row is GREATER than 1.

I created a key for this purpose; I tried to use a "join" command but I wish to do this for a large amount of data, and as you may know, the "join" doesn't like to work with large amounts of data. I can see how I could do this with multiple lookups and multiple joins, but this would be unsatisfactory for the long run.

Let me know how I can accomplish this goal. Thanks

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-27-2018 11:58 AM

Try adding this to end of your current search

| streamstats current=f window=1 values(request) as prev_req by client_ip
| eval referrer=if(count>1 AND referrer="NULL",prev_req,referrer) 
| fields - prev_req

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-27-2018 11:58 AM

Try adding this to end of your current search

| streamstats current=f window=1 values(request) as prev_req by client_ip
| eval referrer=if(count>1 AND referrer="NULL",prev_req,referrer) 
| fields - prev_req
Reply
Solved! Jump to solution

alcchang
Engager
‎07-27-2018 12:07 PM

This looks good so far, lemme do some checking. Thanks a bunch. That was fast!

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎07-27-2018 11:57 AM 
| makeresults | eval test="1,2,3,4,5" 
| makemv delim="," test
| mvexpand test
| streamstats window=1 last(test) as newfield current=f
————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...