can we fill the Field Values basing on the Other F...

rakesh_498115 · ‎12-19-2012

Hi..

I have sample log events as follows :

event 1 :

12-10-24:0:0:1 RequestOrder OrderNo=107 Product=Samsung...
..
....
....

event 2 :

12-10-24:0:0:1 OrderProcessed OrderNo=107

...
......

....

Now i have created rex for order status and displayed the following fields . In Orderprocessed log i dont have the info of product ,so my data displayed like this

sourcetype="mylog" ("RequestOrder" OR "OrderProcessed") | table OrderStatus,OrderNo,Product

output :

OrderStatus Orderno Product
RequestOrder 107 Samsung
ProcessOrder 107

Since there is no procuct name info in OrderProcessed log . i couldnt able to display in the table . is there is a way in splunk which we can assign the procduct name basing on the Orderno . for the all the same Ordernos Product Names Should be same ..Can we do it splunk ??

Please help ?

martin_mueller · ‎12-19-2012

You can do something along the lines of this:

... | eventstats values(Product) as Product by OrderNo

can we fill the Field Values basing on the Other Field Value ?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

Are you a member of the Splunk Community?

can we fill the Field Values basing on the Other Field Value ?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk