Set Table Row/field from another Row/Field

wrussell12 · ‎07-02-2019

Example:

|  ID  |  NAME | CASE_ID |
|  1   |   ABC  |  C101    |
|  2   |  XYZ   |  null    |
|  3   |  DFG  |  C505    |
|  4   |  QAZ   |  null    |

I would like to set Row(2) Case_ID by Row(1) Case_Id.
Likewise, QAZ-Case_ID to DFGCase_ID.
The requirement is to link ABC and XYZ together, when they have nothing in common, but the CaseId is used for both.

Final result:

|  ID  |  NAME    | CASE_ID |
|  1   |   ABC    |  C101   |
|  2   |   XYZ    |  C101   |
|  3   |  DFG     |  C505   |
|  4   |  QAZ     |  C505   |

kamlesh_vaghela · ‎07-02-2019

@wrussell12

Have you tried filldown?

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/filldown

YOUR_SEARCH | table ID NAME CASE_ID | filldown CASE_ID

Sample Search:

| makeresults | eval t="1,ABC,C101|2,XYZ|3,DFG,C505|4,QAZ",t=split(t,"|") | mvexpand t | eval ID=mvindex(split(t,","),0),NAME=mvindex(split(t,","),1),CASE_ID=mvindex(split(t,","),2) 
| table ID NAME CASE_ID | filldown CASE_ID

Thanks

wrussell12 · ‎07-02-2019

Hardcoding is fine, for example:

if(NAME==QAZ) {
QAZ.CASE_ID = DFG.CASE_ID
}

niketn · ‎07-02-2019

@wrussell12 seems like you need to add filldown to your current result. Please try out and confirm

 | filldown CASE_ID

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Set Table Row/field from another Row/Field

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor