Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to insert dummy data into the first few entries of a field?

splunker-0625
Splunk Employee
Splunk Employee
‎02-04-2023 05:46 AM

Here is the original table here, but I need to put some dummy data into Field_B 

Time Filed_A Field_B
1 10 Tom
2 20 Smith
3 30 Will
4 40 Sam


Like this,

Time Filed_A Field_B
1 10 DUMMY1
2 20 DUMMY2
3 30 Tom
4 40 Smith


I want to expect the order of Filed_B will be : DUMMY1,DUMMY2,Tom,Smith,Will,Sam...
Please advise me on how to write the eval command to do this...

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

liuce1
Explorer
‎02-05-2023 12:37 AM

The SPL as below, I store your previous table in a lookup table test.csv

| inputlookup test.csv
| sort Filed_A
| autoregress Field_B as newfield p=2
| fields Time Filed_A newfield
| streamstats count as num
| foreach newfield [| eval <>=if(isnull(newfield),"DUMMY".num,<>)]
| rename newfield as Field_B
| fields Time Filed_A Field_B

liuce1_0-1675586193140.png

 

If my answer can help you ,please kindly vote it . 

Thank you

View solution in original post

Reply
Solved! Jump to solution
Solution

liuce1
Explorer
‎02-05-2023 12:37 AM

The SPL as below, I store your previous table in a lookup table test.csv

| inputlookup test.csv
| sort Filed_A
| autoregress Field_B as newfield p=2
| fields Time Filed_A newfield
| streamstats count as num
| foreach newfield [| eval <>=if(isnull(newfield),"DUMMY".num,<>)]
| rename newfield as Field_B
| fields Time Filed_A Field_B

liuce1_0-1675586193140.png

 

If my answer can help you ,please kindly vote it . 

Thank you

Reply
Solved! Jump to solution

splunker-0625
Splunk Employee
Splunk Employee
‎02-05-2023 05:46 PM

Hi liuce1,
Thank you for your reply
Your idea that is using autoregress, seems working for me. 

I could make put some dummy data for my targeting column with a simple procedure.

Thanks,

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-04-2023 10:07 AM

If Field_B is a multi-value field then you could use mvappend to add the values.

| eval Field_B = mvappend("DUMMY1", "DUMMY2", Field_B)

If Field_B is not multi-valued then please share the query that produced the results so we can tell you how to accomplish your goal.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...