how join with condition

Tzur · ‎06-09-2024

this is part of one table
hostname | monitor | ip | other fields...
aaa |v | ....
aaa |x | ...
bbb | v | ...

how can change the value of 'x' to 'v' in the second row (when there is two diffrent value save it as V)
i should save the ip because it can be different, the other fields also can be different

the main problem it that I use join to this table by hostname which relies on the value of montior and something it got X when the real value is V
maybe can I use join if there is V at monitor?
hope you undersatnd.

gcusello · ‎06-09-2024

hi @Tzur

let me understand: you want to take the last value of "monitor" field or there's a rule?

if the last value, you could try:

<your_search>
| stats
     last(monitor) AS monitor
     values(ip) AS ip
     values(other_fields) AS other_fields
     BY hostname

if there' s a rule (e.g. if ip=1.2.3.4),

you can try:

<your_search>
| stats
     values(eval(if(ip="1.2.3.4","v","x"))) AS monitor
     values(ip) AS ip
     values(other_fields) AS other_fields
     BY hostname

Ciao.

Giuseppe

how join with condition

join

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

how join with condition

join

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...