There are two columns with headings "new image Name" and "source image Name". The new images are derived from source images. Also, occasionally, images are created from existing images as well. Please see sample data below.
new image Name | source image Name
----------------------------------
image1 | baseline
image2 | baseline
image3 | image1
image4 | baseline
image5 | image3
image6 | imageX
Observations:
Requirements:
Final result:
new image Name | source image Name
----------------------------------
image1 | baseline
image2 | baseline
image3 | baseline
image4 | baseline
image5 | Unknown
image6 | Unknown
Please help.
This does what you say you want:
| eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived
| eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName)
| eval sourceImageName=if(sourceImageName!="baseline","unknown","baseline")
However, is it really what you want as image5 is derived from image 3, which is derived from baseline. If you want to know which images are ultimately derived from baseline, you need to repeat the first two lines (for as many depths as you need).
| eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived
| eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName)
| eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived
| eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName)
| eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived
| eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName)
| eval sourceImageName=if(sourceImageName!="baseline","unknown","baseline")
This is a non-trivial task. Splunk processes events in a pipeline. In order to do what you want, the pipeline has to be processed multiple times. If you know what the maximum depth of references is, you could set up a series of essentially the same commands finding the next reference back, until you find a baseline, or assume that it is unknown.
Do you know the maximum depth of references?
@ITWhisperer Thanks for the quick response. Depth reference of 3 is good for us. It would be great if you can suggest a query that can help us.
This does what you say you want:
| eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived
| eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName)
| eval sourceImageName=if(sourceImageName!="baseline","unknown","baseline")
However, is it really what you want as image5 is derived from image 3, which is derived from baseline. If you want to know which images are ultimately derived from baseline, you need to repeat the first two lines (for as many depths as you need).
| eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived
| eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName)
| eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived
| eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName)
| eventstats values(eval(if(sourceImageName="baseline",newImageName,null()))) as derived
| eval sourceImageName=if(in(sourceImageName, derived),"baseline",sourceImageName)
| eval sourceImageName=if(sourceImageName!="baseline","unknown","baseline")