- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- assigning repeating / rolling sequential field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking to have a new field that will assign a reference to each, this reference will be sequential and will repeat.
e.g.
Record . . . ref
1, 6, 11 . . . 1
2, 7, 12 . . . 2
but the number of records is going to change as will the number for the first record so it needs to work on the order of the records.
I had thought stream stats but can't see a way to make it work.
Many thanks for any help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults count=5000
| streamstats current=f count
| eval ref = "a ref of ".((count % 5) + 1)
Hi, @ChrisCLewis
My machine can't work with count=500000000
but , your machine will work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults count=5000
| streamstats current=f count
| eval ref = "a ref of ".((count % 5) + 1)
Hi, @ChrisCLewis
My machine can't work with count=500000000
but , your machine will work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for the answer, never clocked the "current=f" option...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's unclear how the 'Ref' column is to be computed. Please explain.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+1 to what @richgalloway said. Ideally you can give us a few more example logs and the edge cases you want the code to be able to handle, as well as why streamstats won't work. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thank you for getting back.
What is in the logs will not determine what the reference number would be.
I am looking at a fixed range of references e.g. 1 through 5 (could also easily be a through e) and the earliest / record would take a reference of one
2nd, a ref of 2
3rd, a ref of 3
4th, a ref of 4
5th, a ref of 5
6th, a ref of 1
7th, a ref of 2
...
10th, a ref of 5
11th, a ref of 1 etc
this would continue through all records until they all have a ref from the 1 through 5 range.
There could easily be 5 million records to go through.
Many thanks
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
