Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to insert dummy data into the first few entries of a field?

splunker-0625
Splunk Employee
Splunk Employee
‎02-04-2023 05:46 AM

Here is the original table here, but I need to put some dummy data into Field_B 

Time Filed_A Field_B
1 10 Tom
2 20 Smith
3 30 Will
4 40 Sam


Like this,

Time Filed_A Field_B
1 10 DUMMY1
2 20 DUMMY2
3 30 Tom
4 40 Smith


I want to expect the order of Filed_B will be : DUMMY1,DUMMY2,Tom,Smith,Will,Sam...
Please advise me on how to write the eval command to do this...

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

liuce1
Explorer
‎02-05-2023 12:37 AM

The SPL as below, I store your previous table in a lookup table test.csv

| inputlookup test.csv
| sort Filed_A
| autoregress Field_B as newfield p=2
| fields Time Filed_A newfield
| streamstats count as num
| foreach newfield [| eval <>=if(isnull(newfield),"DUMMY".num,<>)]
| rename newfield as Field_B
| fields Time Filed_A Field_B

liuce1_0-1675586193140.png

 

If my answer can help you ,please kindly vote it . 

Thank you

View solution in original post

Reply
Solved! Jump to solution
Solution

liuce1
Explorer
‎02-05-2023 12:37 AM

The SPL as below, I store your previous table in a lookup table test.csv

| inputlookup test.csv
| sort Filed_A
| autoregress Field_B as newfield p=2
| fields Time Filed_A newfield
| streamstats count as num
| foreach newfield [| eval <>=if(isnull(newfield),"DUMMY".num,<>)]
| rename newfield as Field_B
| fields Time Filed_A Field_B

liuce1_0-1675586193140.png

 

If my answer can help you ,please kindly vote it . 

Thank you

Reply
Solved! Jump to solution

splunker-0625
Splunk Employee
Splunk Employee
‎02-05-2023 05:46 PM

Hi liuce1,
Thank you for your reply
Your idea that is using autoregress, seems working for me. 

I could make put some dummy data for my targeting column with a simple procedure.

Thanks,

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-04-2023 10:07 AM

If Field_B is a multi-value field then you could use mvappend to add the values.

| eval Field_B = mvappend("DUMMY1", "DUMMY2", Field_B)

If Field_B is not multi-valued then please share the query that produced the results so we can tell you how to accomplish your goal.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...