Greetings dear Splunk Community,
I'll try to keep it short and simple:
I have a Query that gets multiple fields, but only 2 really matter for this question:
eventName and eventResult.
The issue here is, the very first and last eventResult entries of a given eventName are different than all the other eventResult entries. so you can kind of imagine it looking like this:
| eventName | eventResult |
| A | 1 |
| A | Data |
| A | Data |
| A | Data |
| A | 2 |
| B | 3 |
| B | Data |
| B | Data |
| B | 4 |
And I require the value of the first entry as an extra field next to the actual data for computational purposes for each individual eventName. There's over 100 different eventName possibilities that also change over time, so nothing hard coded is possible and also no lookup tables. Also, no joins, since a join would require way too much performance due to the size of these tables.
so I'd like
| eventName | eventResult | additionalColumn |
| A | 1 | 1 |
| A | Data | 1 |
| A | Data | 1 |
| A | Data | 1 |
| A | 2 | 1 |
| B | 3 | 3 |
| B | Data | 3 |
| B | Data | 3 |
| B | 4 | 3 |
Is this possible? I looked into mapping functions (to try and map the first eventResult to the eventName) but couldn't figure anything out that worked in a way that would make this possible. I cannot change anything about the data structure, nor did I develop it.
I'd be very appreciative of any ideas. I feel like I'm just missing something small in order to get it.
Best regards,
Cyd
