How to map field values to rows?

iamsplunker · ‎08-16-2021

I've a query which has column like AccountNO eventType _time and difference
I'm trying to find the time difference of each eventType(there are 13 eventTypes),
I'm following an algorithm and able to get the time difference of these 13 event types.

Now my result looks like this

AccountNO eventType _time difference

123456789 eventType1 1/1/2021:12:00:00
eventType2 1/1/2021:12:01:20
eventType3 1/1/2021:12:03:00
eventType4 1/1/2021:12:04:00
eventType5 1/1/2021:12:08:00
eventType6 1/1/2021:12:12:00
eventType7 1/1/2021:12:13:00
eventType8 1/1/2021:12:14:50
eventType9 1/1/2021:12:16:00
eventType10 1/1/2021:12:18:00
eventType11 1/1/2021:12:19:00
eventType12 1/1/2021:12:21:30
eventType13 1/1/2021:12:23:00

I used eval and formula to get the difference of 13 eventTypes like D1,D2,D3,D4,D5,D6,D7,D8,D9,D10,D11,D12,D13

Now I want to map these D1 to D13 values in difference field/column. So that my result will be like below. I guess it has something to do with CASE Statement but it's not working for me. Please help

AccountNO eventType _time difference

123456789 eventType1 1/1/2021:12:00:00 00:00
eventType2 1/1/2021:12:01:20 01:20
eventType3 1/1/2021:12:03:00 01:40
eventType4 1/1/2021:12:04:00 01:00
eventType5 1/1/2021:12:08:00 07:00
eventType6 1/1/2021:12:12:00 02:00
eventType7 1/1/2021:12:13:00 03:20
eventType8 1/1/2021:12:14:50 02:00
eventType9 1/1/2021:12:16:00 01:00
eventType10 1/1/2021:12:18:00 02:00
eventType11 1/1/2021:12:19:00 01:00
eventType12 1/1/2021:12:21:30 02:00
eventType13 1/1/2021:12:23:00 04:00

How to map field values to rows?

fields

stats

table

transaction

New Cloud Intrusion Detection System Add-on for Splunk

Happy CX Day to our Community Superheroes!

Check out This Month’s Brand new Splunk Lantern Articles