Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is it possible to save the value in a field in the first time it occurs and then assign it to later events?

Scott_Wang
Explorer
‎07-28-2020 11:14 PM

For example, if we have several events and there is a field named from, which is only existed in the first event. Is it possible to append this value to another event?

I'd like to save it as a temporary value and then use it later. I tried with eval temp=from, but I cannot use it(temp) in later events.

Thanks in advance!

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-28-2020 11:38 PM

Hi @Scott_Wang,

if you're speaking of later use in the same search, you can use appenpipe command to add the result of a different search (in your case the same search but only the first value).

If instead later means in other searches, you can store the from value in a lookup or in a summary index (eventually with a schedule search) and recall it when you need.

Ciao.

Giuseppe

0 Karma
Reply

Scott_Wang
Explorer
‎07-28-2020 11:56 PM

Hi @gcusello,

Thanks for your reply. I'm in the first case you mentioned. But I do not know how to use appendpipe to achieve the goal.

Let's look at an example. 

| makeresults
| eval raw="xxx123,document1,orderRequest;document1,orderRequest"
| makemv delim=";" raw
| mvexpand raw
| rex field=raw "(?<id>\w+),doc"

Screen Shot 2020-07-28 at 11.55.02 PM.png

Currently, the id field in the second event is empty, and I'd like to fill it with xxx123, since it is also the document1 type. 

Could you write a query to achieve this one?

Thanks again!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-29-2020 12:30 AM

Hi @Scott_Wang,

please try this:

| makeresults
| eval raw="xxx123,document1,orderRequest;document1,orderRequest"
| makemv delim=";" raw
| mvexpand raw
| rex field=raw "(?<id>\w+),doc"
| stats values(id) AS id values(raw) AS raw BY _time
| mvexpand raw

Ciao.

Giuseppe

Reply

Scott_Wang
Explorer
‎07-29-2020 12:34 AM

Hi @gcusello,

I'm sorry. In the real case, the timestamp is not equal. So I cannot use BY _time... Any other ideas?

 

What I'm trying to figure out is how to use xxx123 as a temporary value, and then whenever there is another document1 that occurs in new events, I can assign the value to the new events.

 

Thank you.😁

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Synthetic Monitoring - Resolved Incident on Detector Alerts

We’ve discovered a bug that affected the auto-clear of Synthetic Detectors in the Splunk Synthetic Monitoring ...

Video | Tom’s Smartness Journey Continues

Remember Splunk Community member Tom Kopchak? If you caught the first episode of our Smartness interview ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud? Learn how unique features like ...