Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a column/field based on the max or value of another column

HattrickNZ
Motivator
‎05-17-2018 08:30 PM

This is my sample search and corresponding output:

 | makeresults 
    | eval data = "
    1    2017-12    A    155749    131033    84.1;
   2    2017-12    B    24869    23627    95;
   3    2017-12    C    117618    117185    99.6;
   " 
    | makemv delim=";" data 
    | mvexpand data
    | rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
    | fields + date serial type attempts successfullAttempts sr 
    | rename date as _time 
    | search serial=*
| eval Q=attempts
| eval Q=if(Q==24869,"",Q)
| eval Q=if(Q==117618,"",Q)

OUTPUT

    _time   serial  type    attempts    successfullAttempts sr  Q
1   2017-12 1   A   155749  131033  84  155749
2   2017-12 2   B   24869   23627   95  
3   2017-12 3   C   117618  117185  99

I want to be able to get the value of Q(e.g. 155749 ) and create a new field called W but all the values of W would be 155749. Basically, fill out all the values in W with one value and that value being 155749, the max of Q in this case.

Sample Output of what I would like 

    _time   serial  type    attempts    successfullAttempts sr  Q   W
1   2017-12 1   A   155749  131033  84  155749   155749
2   2017-12 2   B   24869   23627   95             155749
3   2017-12 3   C   117618  117185  99           155749

I was thinking of doing ... | eval W=max(Q) but that won't work but hopefully helps understand what I am trying to do.
maybe I need to use streamstats or other. I couldn't quite get it. Maybe I need a for loop? advice appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-17-2018 09:41 PM

@HattrickNZ add the following as your final pipe:

 <yourCurrentSearch>
| eventstats max(Q) as W
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-17-2018 09:41 PM

@HattrickNZ add the following as your final pipe:

 <yourCurrentSearch>
| eventstats max(Q) as W
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

p_gurav
Champion
‎05-17-2018 09:39 PM

Can you try this:

| makeresults 
     | eval data = "
     1    2017-12    A    155749    131033    84.1;
    2    2017-12    B    24869    23627    95;
    3    2017-12    C    117618    117185    99.6;
    " 
     | makemv delim=";" data 
     | mvexpand data
     | rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
     | fields + date serial type attempts successfullAttempts sr 
     | rename date as _time 
     | search serial=*
 | eval Q=attempts
 | eval Q=if(Q==24869,"",Q)
 | eval Q=if(Q==117618,"",Q)
 | eventstats max(Q) AS W
Reply
Solved! Jump to solution

niketn
Legend
‎05-20-2018 10:54 PM

@HattrickNZ if your issue is resolved, please accept @p_gurav 's answer as he had beaten me to it 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...