Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare two field values, and dynamically create new field based on search result

paragvidhi
Engager
‎06-25-2019 07:18 AM

Hi All,

I am new to Splunk, I am looking for dynamic field creation based on a comparison between two fields value.
I have two fields in my search which named login_session and logout_session

login_session contains value like below:

0343547092129730B6AA6C2367ABA709
07CF0EDE89760D3D16AA009B05B26942
096E6160F6C77B19A8FC486D9552CE79
0DA20333C8F2E602AFB0A5453D8A42EA
0E0FDC4D83637F3B88B679884CB7F553
0F37F388296DDFCD2D30A0E4DCE2C295

logout_session contains value like below

07CF0EDE89760D3D16AA009B05B26942
0DA20333C8F2E602AFB0A5453D8A42EA
0E0FDC4D83637F3B88B679884CB7F553

So I need to create new field named active_session in this field value should be:

0343547092129730B6AA6C2367ABA709
096E6160F6C77B19A8FC486D9552CE79
0F37F388296DDFCD2D30A0E4DCE2C295

So in simple words, I need to create new field active_session and this field contains the value of login_session which is not present in logout_session.

0 Karma
Reply

jnudell_2
Builder
‎06-25-2019 12:26 PM

Maybe something like:

(... [ search for login session events ] ... ) ( ... [ search for logout session events ] ... )

| eval session_id = case(isnotnull(logout_session), logout_session, isnotnull(login_session), login_session)

| eval session_type = case(isnotnull(logout_session), "inactive", isnotnull(login_session), "active")

| eventstats latest(session_type) as current_session_type by session_id

| where current_session_type == "active"

| eval active_session = case(isnotnull(login_session), session_id)

This is a little bit more involved than @richgalloway 's suggestion, but it creates a new field (session_id) which you can track the current status against. It also finds the most recent event and sets the type accordingly, and then filters to only active sessions. If you take the where clause out, you'll still get a newly calculated field for active_session.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-25-2019 09:56 AM

In general, you can do that using the form <search for login_session> NOT [search <search for logout_session>], but if you share you current searches we can be more specific.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

paragvidhi
Engager
‎07-01-2019 10:25 AM

source=xyz | stats values(login_session), values(logout_session) by client

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...