Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to map field values to rows?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to map field values to rows?
iamsplunker
Communicator
08-16-2021
06:37 PM
I've a query which has column like AccountNO eventType _time and difference
I'm trying to find the time difference of each eventType(there are 13 eventTypes),
I'm following an algorithm and able to get the time difference of these 13 event types.
Now my result looks like this
AccountNO eventType _time difference
123456789 eventType1 1/1/2021:12:00:00
eventType2 1/1/2021:12:01:20
eventType3 1/1/2021:12:03:00
eventType4 1/1/2021:12:04:00
eventType5 1/1/2021:12:08:00
eventType6 1/1/2021:12:12:00
eventType7 1/1/2021:12:13:00
eventType8 1/1/2021:12:14:50
eventType9 1/1/2021:12:16:00
eventType10 1/1/2021:12:18:00
eventType11 1/1/2021:12:19:00
eventType12 1/1/2021:12:21:30
eventType13 1/1/2021:12:23:00
I used eval and formula to get the difference of 13 eventTypes like D1,D2,D3,D4,D5,D6,D7,D8,D9,D10,D11,D12,D13
Now I want to map these D1 to D13 values in difference field/column. So that my result will be like below. I guess it has something to do with CASE Statement but it's not working for me. Please help
AccountNO eventType _time difference
123456789 eventType1 1/1/2021:12:00:00 00:00
eventType2 1/1/2021:12:01:20 01:20
eventType3 1/1/2021:12:03:00 01:40
eventType4 1/1/2021:12:04:00 01:00
eventType5 1/1/2021:12:08:00 07:00
eventType6 1/1/2021:12:12:00 02:00
eventType7 1/1/2021:12:13:00 03:20
eventType8 1/1/2021:12:14:50 02:00
eventType9 1/1/2021:12:16:00 01:00
eventType10 1/1/2021:12:18:00 02:00
eventType11 1/1/2021:12:19:00 01:00
eventType12 1/1/2021:12:21:30 02:00
eventType13 1/1/2021:12:23:00 04:00
Get Updates on the Splunk Community!
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
SOCin’ it to you at Splunk University
Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
