Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Replace a column with diagonal value in a tabl...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khavildar
Explorer
08-17-2018
11:33 AM
host time timediff
a 12:00 END
a 11:55 1
a 11:50 1
I want to replace the "END" in timediff with the below value:
timedifference of the first 2 rows - i.e 12:00 - 11:55
and add the timediff of the second row which is 1 . Essentially , its 5 + 1 = 6 which should be the new value of END
I have used delta command to get the 6 value but am struggling to replace the END with the value.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
08-17-2018
06:52 PM
@khavildar,
Try this,
"your search to return above data"
|reverse|streamstats current=f window=1 last(time) as prev_time,last(timediff) as prev_diff|reverse
|eval timediff=if(timediff=="END",round((strptime(time,"%H:%M")-strptime(prev_time,"%H:%M"))/60,0)+prev_diff,timediff)
|fields - prev_diff,prev_time
Full search with dummy data
|makeresults|eval host="a",time="12:00,11:55,11:50",timediff="END,1,1"
|makemv delim="," time|makemv delim="," timediff|eval z=mvzip(time,timediff)|table host,z
|mvexpand z|eval s=split(z,",")|eval time=mvindex(s,0),timediff=mvindex(s,1)|table host,time,timediff
|eval _COMMENT="ALL ABOVE IS JUST TO CREATE DUMMY DATA AND NOTHING TO DO WITH ACTUAL SEARCH :-)"
|reverse|streamstats current=f window=1 last(time) as prev_time,last(timediff) as prev_diff|reverse
|eval timediff=if(timediff=="END",round((strptime(time,"%H:%M")-strptime(prev_time,"%H:%M"))/60,0)+prev_diff,timediff)|fields - prev_diff,prev_time
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khavildar
Explorer
08-21-2018
08:25 AM
Thanks for that Renjith!
I used your streamstats logic with delta and got it working. Below is how I got the query:
'base search' | table _time,host,timediff | sort host | delta _time as td | eval diff=abs(td) | eval end=timediff+diff | table _time host timediff end | eval n=if(isint(end),end, "0") | reverse | streamstats current=f window=1 last(n) as prev_diff |reverse | eval newrpo=if(timediff="END",prev_diff,timediff) | table _time,VMName,newrpo
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
08-17-2018
06:52 PM
@khavildar,
Try this,
"your search to return above data"
|reverse|streamstats current=f window=1 last(time) as prev_time,last(timediff) as prev_diff|reverse
|eval timediff=if(timediff=="END",round((strptime(time,"%H:%M")-strptime(prev_time,"%H:%M"))/60,0)+prev_diff,timediff)
|fields - prev_diff,prev_time
Full search with dummy data
|makeresults|eval host="a",time="12:00,11:55,11:50",timediff="END,1,1"
|makemv delim="," time|makemv delim="," timediff|eval z=mvzip(time,timediff)|table host,z
|mvexpand z|eval s=split(z,",")|eval time=mvindex(s,0),timediff=mvindex(s,1)|table host,time,timediff
|eval _COMMENT="ALL ABOVE IS JUST TO CREATE DUMMY DATA AND NOTHING TO DO WITH ACTUAL SEARCH :-)"
|reverse|streamstats current=f window=1 last(time) as prev_time,last(timediff) as prev_diff|reverse
|eval timediff=if(timediff=="END",round((strptime(time,"%H:%M")-strptime(prev_time,"%H:%M"))/60,0)+prev_diff,timediff)|fields - prev_diff,prev_time
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
KailA
Contributor
08-17-2018
11:55 AM
Hi,
Can you show us you search, I'm sure I can help you with your problem 🙂
Kail
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
khavildar
Explorer
08-21-2018
08:22 AM
Hi!
thanks much but the below answer worked for me! I have pasted the base query and how i worked around it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
horsefez
Motivator
08-17-2018
01:20 PM
KailA is an expert on time differences. :yayfox:
Get Updates on the Splunk Community!
Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...
This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Community Badges!
Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...
What You Read The Most: Splunk Lantern’s Most Popular Articles!
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
