Splunk Search

How to assign a field value to other events that fulfill a certain condition?

Cydraech
Explorer

Greetings dear Splunk Community,

 

I'll try to keep it short and simple:

I have a Query that gets multiple fields, but only 2 really matter for this question:
eventName and eventResult.

The issue here is, the very first and last eventResult entries of a given eventName are different than all the other eventResult entries. so you can kind of imagine it looking like this:

eventNameeventResult
A1
AData
AData
AData
A2
B3
BData
BData
B4


And I require the value of the first entry as an extra field next to the actual data for computational purposes for each individual eventName. There's over 100 different eventName possibilities that also change over time, so nothing hard coded is possible and also no lookup tables. Also, no joins, since a join would require way too much performance due to the size of these tables.

so I'd like

eventNameeventResultadditionalColumn
A11
AData1
AData1
AData1
A21
B33
BData3
BData3
B43

 

Is this possible? I looked into mapping functions (to try and map the first eventResult to the eventName) but couldn't figure anything out that worked in a way that would make this possible. I cannot change anything about the data structure, nor did I develop it. 

I'd be very appreciative of any ideas. I feel like I'm just missing something small in order to get it.

Best regards,

Cyd

Labels (6)
0 Karma
1 Solution

tread_splunk
Splunk Employee
Splunk Employee

| eventstats first(eventResult) as additionalColumn by eventName

View solution in original post

tread_splunk
Splunk Employee
Splunk Employee

| eventstats first(eventResult) as additionalColumn by eventName

Cydraech
Explorer

Oh wow. That is so simple, I just somehow didn't think of that. Thank you so much!

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...