Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to assign previous month's fetched result to current month's field?

spoo
Explorer
‎09-16-2022 01:31 AM

Considering 2022-06 as starting month, 
If month is 2022-07, i should assign 2022-06's corresponding field values " greater_6_mon" to 2022-07's field "prev" , likewise to 2022-08 as well

Here are my values :

month            prev          greater_6_mon
2022-06                                    26

2022-07                                      2

2022-08                                      1


expected result: (please suggest)

month            prev      greater_6_mon
2022-06            0             26

2022-07           26            2

2022-08            2              1

Labels (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-19-2022 11:19 PM

Your initial post didn't seem to have enough information, as you also want to do that by 'Team', in which case you will need to use streamstats, as @richgalloway states, however, you will need to modify it slightly to take account of the team split, i.e.

| streamstats window=1 current=f global=f first(greater_6_mon) as prev by team
| fillnull value=0 prev

View solution in original post

Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎09-19-2022 11:13 PM

Simplest option is

| autoregress greater_6_mon as prev
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎09-19-2022 11:19 PM

Your initial post didn't seem to have enough information, as you also want to do that by 'Team', in which case you will need to use streamstats, as @richgalloway states, however, you will need to modify it slightly to take account of the team split, i.e.

| streamstats window=1 current=f global=f first(greater_6_mon) as prev by team
| fillnull value=0 prev
Reply
Solved! Jump to solution

spoo
Explorer
‎09-19-2022 11:58 PM

Thank you so much @bowesmana and @richgalloway . This worked perfectly as intended. Great learning!!

0 Karma
Reply
Solved! Jump to solution

spoo
Explorer
‎09-19-2022 11:07 PM

This worked fine but it is taking preceding value but I am expecting previous values of previous month. 
Example :
My values :

teammonthprevgreater_6_mon
A2022-07026
B2022-0702
C2022-0701
D2022-070

8

 

Expected :

teammonthprevgreater_6_mon
A2022-082616
B2022-08222
C2022-08121
D2022-08818



Here my greater_6mon of 2022-07 has been assigned to prev of 2022-08. Thats my intention to achieve.
Please suggest

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-16-2022 06:18 AM

Here's an untested idea

 

| streamstats window=2 first(greater_6_mon) as prev
| fillnull value=0 prev

The streamstats command computes stats on results as they're generated.  The window=2 option says to look only at the current event and the one preceding it.  The first function takes the greater_6_mon value from the previous event and stores it in the prev field of the current event.

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

spoo
Explorer
‎09-19-2022 11:59 PM

Thank you soo much, worked according to my initial requirement.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...