Splunk Search

How to change specific value of grouped values?

lukas1
Explorer

Hi,

I have a lot of event data, where every instance can be idendified by a unique ID. Every instance contains several activities. Some activities occur not only once. For some this is okay, but for others I would like to add e.g. a "_2" at the end of the activity name for the second occurence of this activity.

As this should be performed only for the second activity within the instance and only for some activities within all, I was not sure if it is possible to transform the data with SPL in the way I need it to be.

 

Thanks for your support!

Labels (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

Possibly with that table, you could add

your search to produce the base table
| streamstats count by caseID activity
| eval "activity (to-be)"=if(activity="c" AND count>1, activity."_".count, activity)
| fields - count

what this basically does if create your activity to be column based on either activity, or if the count of activity 'c's is more than one, add suffix of _{count} where count is calculated with the streamstats.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @lukas1,

you have to detail all the rules in an eval command,

If you could share some additional information, I could be more detailed.

Ciao.

Giuseppe

lukas1
Explorer

Hi @gcusello ,

Thanks for your quick reply!

Here you can find a exaplary data set to illustrate my problem.

Currently I only have the field activity. For every caseID there are several activities (for caseID 1, there is 2x a, b, 2x c, d). For activity a it is totally okay to be there twice. But for activity c i want to differ the first and the second occurence within every case.

lukas1_0-1665652767887.png

Hope this could clarify some things.

 

Lukas

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Possibly with that table, you could add

your search to produce the base table
| streamstats count by caseID activity
| eval "activity (to-be)"=if(activity="c" AND count>1, activity."_".count, activity)
| fields - count

what this basically does if create your activity to be column based on either activity, or if the count of activity 'c's is more than one, add suffix of _{count} where count is calculated with the streamstats.

lukas1
Explorer

Thanks @bowesmana  for your answer!

 

It's working for me!

So when i would also like for activity z to behave like c, would it then be a good approach to proceed like:

| streamstats count by caseID activity

| eval "activity (to-be)"=if(activity="c" AND count>1, activity."_".count, activity)

| eval "activity (to-be)"=if(activity="z" AND count>1, activity."_".count, activity)

| fields - count

 

Otherwise it would mess up the count for c - would it?

 

Best,

Lukas

0 Karma

bowesmana
SplunkTrust
SplunkTrust

You can make it in a single eval statement

| eval "activity (to-be)"=if(count>1 AND (in(activity, "c","z" )), activity."_".count, activity)

so, if count>1 and activity is either c or z it will behave the same way

lukas1
Explorer

Thank you @bowesmana ! It's working!

 

Best,

Lukas

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...