Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get the next value in a column

kavyamohan
Explorer
‎10-15-2019 02:14 AM

I have values like this in a column.
Lock
Unlock
Logon
Shutdown

I want to get the next value and check it with the previous value. i.e If the previous session is lock and next session is unlock the total utilization is 0. I need to do some calculation like this. How to get the next values?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2019 02:50 AM

Hi kavyamohan,
could you share your search and eventually a sample of your logs?

Ciao.
Giuseppe

0 Karma
Reply

kavyamohan
Explorer
‎10-15-2019 03:19 AM

I don't have enough Karma points to share my csv. But I can share the code am using.
index="event"
| eval SessionTime_epoch = strptime(SessionTime, "%Y-%m-%d %H:%M:%S")
| eval a=SessionTime_epoch."@".Session."@".SessionTime
| sort SessionTime
| streamstats current=t window=2 first(Session) as prev_session last(Session) as nxt first(SessionTime_epoch) as prev_time by Username
|table prev_session nxt.

The savedsearch has nothing but join query to join two csv files

0 Karma
Reply

kavyamohan
Explorer
‎10-15-2019 03:53 AM

_id Username AG IG Project SystemName Macaddress Session SessionTime
ObjectId("5d78a01644d96e922597d9d3") deepak.kr.ram P2B-H7QWXC2 00059A3C7A00 Lock 2019-09-11T10:57:00.000Z""

ObjectId("5d78a03a44d96e922597d9db") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Lock 2019-09-11T12:45:00.000Z""
ObjectId("5d78a03a44d96e922597d9dc") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Unlock 2019-09-11T12:45:00.000Z""
ObjectId("5d78a03a44d96e922597d9dd") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Lock 2019-09-11T12:47:00.000Z""
ObjectId("5d78a385d58589493939d9f1") nitin.suri Products LOBLAW COMPANIES LTD SAP-AM-Support BDC6-D-69T5NK2 14B31F1034C5 Unlock 2019-09-11T13:02:00.000Z""
ObjectId("5d78a715925ad595ab4d3b4b") saurav.subir.nandi HPS UK ROYAL MAIL Supply chain Visibility - AO - SEZ M5-D-6L0BNK2 14B31F0E342D Lock 2019-09-11T13:15:00.000Z""
ObjectId("5d78a742925ad595ab4d3b4c") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Unlock 2019-09-11T13:10:00.000Z""
ObjectId("5d78a904671420914e5e13fc") s.bx.subramanian M5-D-6LPLXH2 00FFA0B42AEB Unlock 2019-09-11T13:23:00.000Z""
ObjectId("5d78a96c671420914e5e13fd") saurav.subir.nandi HPS UK ROYAL MAIL Supply chain Visibility - AO - SEZ M5-D-6L0BNK2 14B31F0E342D Unlock 2019-09-11T13:25:00.000Z""
ObjectId("5d78aa2a671420914e5e13fe") suren.kd HPS AETNA Aetna - Consumer Platform CDC2-D-754BNK2 14B31F1BC3A3 Lock 2019-09-11T13:31:00.000Z""
ObjectId("5d78ab5a671420914e5e13ff") s.bx.subramanian M5-D-6LPLXH2 00FFA0B42AEB Lock 2019-09-11T13:37:00.000Z""
ObjectId("5d78ac00671420914e5e1400") pravin.birajdar P3C-44QMX52 00FFA078688E Lock 2019-09-11T13:35:00.000Z""
ObjectId("5d78accd671420914e5e1401") ruth.sharon.dsilva M5-D-HVLVXJ2 00FFA018762D Lock 2019-09-11T13:39:00.000Z""

0 Karma
Reply

kavyamohan
Explorer
‎10-16-2019 05:06 AM

Sorry is it difficult to find from this? I solved the issue. So Thank you so much

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2019 03:48 AM

Hi kavyamohan,
you can add some events using the Code Sample button, I don't need of manyevents just 8-10 with at least one occurrence of each type.
Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...