- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to map field values to rows?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
How to map field values to rows?
I've a query which has column like AccountNO eventType _time and difference
I'm trying to find the time difference of each eventType(there are 13 eventTypes),
I'm following an algorithm and able to get the time difference of these 13 event types.
Now my result looks like this
AccountNO eventType _time difference
123456789 eventType1 1/1/2021:12:00:00
eventType2 1/1/2021:12:01:20
eventType3 1/1/2021:12:03:00
eventType4 1/1/2021:12:04:00
eventType5 1/1/2021:12:08:00
eventType6 1/1/2021:12:12:00
eventType7 1/1/2021:12:13:00
eventType8 1/1/2021:12:14:50
eventType9 1/1/2021:12:16:00
eventType10 1/1/2021:12:18:00
eventType11 1/1/2021:12:19:00
eventType12 1/1/2021:12:21:30
eventType13 1/1/2021:12:23:00
I used eval and formula to get the difference of 13 eventTypes like D1,D2,D3,D4,D5,D6,D7,D8,D9,D10,D11,D12,D13
Now I want to map these D1 to D13 values in difference field/column. So that my result will be like below. I guess it has something to do with CASE Statement but it's not working for me. Please help
AccountNO eventType _time difference
123456789 eventType1 1/1/2021:12:00:00 00:00
eventType2 1/1/2021:12:01:20 01:20
eventType3 1/1/2021:12:03:00 01:40
eventType4 1/1/2021:12:04:00 01:00
eventType5 1/1/2021:12:08:00 07:00
eventType6 1/1/2021:12:12:00 02:00
eventType7 1/1/2021:12:13:00 03:20
eventType8 1/1/2021:12:14:50 02:00
eventType9 1/1/2021:12:16:00 01:00
eventType10 1/1/2021:12:18:00 02:00
eventType11 1/1/2021:12:19:00 01:00
eventType12 1/1/2021:12:21:30 02:00
eventType13 1/1/2021:12:23:00 04:00
Register for FREE Today!
We've made .conf21 totally virtual
and totally FREE! Our completely
online experience will run from 10/19
through 10/20 with some additional
events, too!
Learn More or Register Now >
