Splunk Search

How to change specific value of grouped values?

lukas1
Explorer

Hi,

I have a lot of event data, where every instance can be idendified by a unique ID. Every instance contains several activities. Some activities occur not only once. For some this is okay, but for others I would like to add e.g. a "_2" at the end of the activity name for the second occurence of this activity.

As this should be performed only for the second activity within the instance and only for some activities within all, I was not sure if it is possible to transform the data with SPL in the way I need it to be.

 

Thanks for your support!

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Possibly with that table, you could add

your search to produce the base table
| streamstats count by caseID activity
| eval "activity (to-be)"=if(activity="c" AND count>1, activity."_".count, activity)
| fields - count

what this basically does if create your activity to be column based on either activity, or if the count of activity 'c's is more than one, add suffix of _{count} where count is calculated with the streamstats.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @lukas1,

you have to detail all the rules in an eval command,

If you could share some additional information, I could be more detailed.

Ciao.

Giuseppe

lukas1
Explorer

Hi @gcusello ,

Thanks for your quick reply!

Here you can find a exaplary data set to illustrate my problem.

Currently I only have the field activity. For every caseID there are several activities (for caseID 1, there is 2x a, b, 2x c, d). For activity a it is totally okay to be there twice. But for activity c i want to differ the first and the second occurence within every case.

lukas1_0-1665652767887.png

Hope this could clarify some things.

 

Lukas

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Possibly with that table, you could add

your search to produce the base table
| streamstats count by caseID activity
| eval "activity (to-be)"=if(activity="c" AND count>1, activity."_".count, activity)
| fields - count

what this basically does if create your activity to be column based on either activity, or if the count of activity 'c's is more than one, add suffix of _{count} where count is calculated with the streamstats.

lukas1
Explorer

Thanks @bowesmana  for your answer!

 

It's working for me!

So when i would also like for activity z to behave like c, would it then be a good approach to proceed like:

| streamstats count by caseID activity

| eval "activity (to-be)"=if(activity="c" AND count>1, activity."_".count, activity)

| eval "activity (to-be)"=if(activity="z" AND count>1, activity."_".count, activity)

| fields - count

 

Otherwise it would mess up the count for c - would it?

 

Best,

Lukas

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can make it in a single eval statement

| eval "activity (to-be)"=if(count>1 AND (in(activity, "c","z" )), activity."_".count, activity)

so, if count>1 and activity is either c or z it will behave the same way

lukas1
Explorer

Thank you @bowesmana ! It's working!

 

Best,

Lukas

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...