Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to Set field to value of another with a where clause?

jpfrancetic
Path Finder
‎02-06-2023 07:05 AM

Hi Splunk Community,

I am trying to work with over writing fields using an if clause. The data I have is like what is in the table below:

Sourcetype Index LastSeenDate
clarity-A abc123 2-6-2023
clarity-B abc123 1-15-2023
clarity-C abc123 12-1-2022
DR:101:405 abc123 2-4-2023
BillingTool abc123 2-2-2023

 

I want to overwrite the current LastSeenDates only for clarity-B and clarity-C so that their last seen date is equal to the LastSeenDate for clarity-A. The table below is an example of what I am trying to achieve:

Sourcetype Index LastSeenDate
clarity-A abc123 2-6-2023
clarity-B abc123 2-6-2023
clarity-C abc123 2-6-2023
DR:101:405 abc123 2-4-2023
BillingTool abc123 2-2-2023
Labels (4)
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-06-2023 07:21 AM

Assuming your sourcetypes follow the pattern shown and your events are in time order, try something like this

| eval commonSourceType=mvindex(split(Sourcetype,"-"),0)
| eventstats latest(LastSeenDate) as LastSeenDate by commonSourceType
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...