Splunk Search

Is there a way where I can tag events and add another field based on hierarchy?

Explorer

is there a way where I can tag events and add another field based on hierarchy?

For example:

Id 1 has different initial tags (A,B,C, and D) since A is the highest, the final tag should be "A"

 ID   |                InitialTag               |  FinalTag
 1                        A                            A
 1                        B                            A
 1                        C                            A
 1                        D                            A

Tag Ranks:
A - 1st
B - 2nd
C -3rd
D - 4th

0 Karma
1 Solution

Legend

Hi patricianaguit,

if InitialTag is a number you can use in the stats command the function max, e.g.

my_search
| stats values(InizialTag) AS InitialTag max(InitialTag) AS FinalTag BY ID

Otherwise, if InitialTag has a limited number of values, you can use a lookup to give a rank to your values, e.g.:
a lookup with two values called TagRank.csv:

  Tag,Rank
  A,1
  B,2
  C,3
  D,4

and a search like this:

my_search
| lookup TagRank.csv Tag AS InitialTag OUTPUT Rank
| stats values(InizialTag) AS InitialTag max(Rank) AS FinalTag BY ID

Bye.
Giuseppe

View solution in original post

0 Karma

Legend

Hi patricianaguit,

if InitialTag is a number you can use in the stats command the function max, e.g.

my_search
| stats values(InizialTag) AS InitialTag max(InitialTag) AS FinalTag BY ID

Otherwise, if InitialTag has a limited number of values, you can use a lookup to give a rank to your values, e.g.:
a lookup with two values called TagRank.csv:

  Tag,Rank
  A,1
  B,2
  C,3
  D,4

and a search like this:

my_search
| lookup TagRank.csv Tag AS InitialTag OUTPUT Rank
| stats values(InizialTag) AS InitialTag max(Rank) AS FinalTag BY ID

Bye.
Giuseppe

View solution in original post

0 Karma

Explorer

thank you this worked for me!

0 Karma

Super Champion

what's your logic to say A is the highest? (alphabetical order?)

0 Karma

Super Champion

Try this:

|eventstats first(InitialTag) as FinalTag by ID
0 Karma