Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get the next value in a column

kavyamohan
Explorer
‎10-15-2019 02:14 AM

I have values like this in a column.
Lock
Unlock
Logon
Shutdown

I want to get the next value and check it with the previous value. i.e If the previous session is lock and next session is unlock the total utilization is 0. I need to do some calculation like this. How to get the next values?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2019 02:50 AM

Hi kavyamohan,
could you share your search and eventually a sample of your logs?

Ciao.
Giuseppe

0 Karma
Reply

kavyamohan
Explorer
‎10-15-2019 03:19 AM

I don't have enough Karma points to share my csv. But I can share the code am using.
index="event"
| eval SessionTime_epoch = strptime(SessionTime, "%Y-%m-%d %H:%M:%S")
| eval a=SessionTime_epoch."@".Session."@".SessionTime
| sort SessionTime
| streamstats current=t window=2 first(Session) as prev_session last(Session) as nxt first(SessionTime_epoch) as prev_time by Username
|table prev_session nxt.

The savedsearch has nothing but join query to join two csv files

0 Karma
Reply

kavyamohan
Explorer
‎10-15-2019 03:53 AM

_id Username AG IG Project SystemName Macaddress Session SessionTime
ObjectId("5d78a01644d96e922597d9d3") deepak.kr.ram P2B-H7QWXC2 00059A3C7A00 Lock 2019-09-11T10:57:00.000Z""

ObjectId("5d78a03a44d96e922597d9db") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Lock 2019-09-11T12:45:00.000Z""
ObjectId("5d78a03a44d96e922597d9dc") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Unlock 2019-09-11T12:45:00.000Z""
ObjectId("5d78a03a44d96e922597d9dd") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Lock 2019-09-11T12:47:00.000Z""
ObjectId("5d78a385d58589493939d9f1") nitin.suri Products LOBLAW COMPANIES LTD SAP-AM-Support BDC6-D-69T5NK2 14B31F1034C5 Unlock 2019-09-11T13:02:00.000Z""
ObjectId("5d78a715925ad595ab4d3b4b") saurav.subir.nandi HPS UK ROYAL MAIL Supply chain Visibility - AO - SEZ M5-D-6L0BNK2 14B31F0E342D Lock 2019-09-11T13:15:00.000Z""
ObjectId("5d78a742925ad595ab4d3b4c") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Unlock 2019-09-11T13:10:00.000Z""
ObjectId("5d78a904671420914e5e13fc") s.bx.subramanian M5-D-6LPLXH2 00FFA0B42AEB Unlock 2019-09-11T13:23:00.000Z""
ObjectId("5d78a96c671420914e5e13fd") saurav.subir.nandi HPS UK ROYAL MAIL Supply chain Visibility - AO - SEZ M5-D-6L0BNK2 14B31F0E342D Unlock 2019-09-11T13:25:00.000Z""
ObjectId("5d78aa2a671420914e5e13fe") suren.kd HPS AETNA Aetna - Consumer Platform CDC2-D-754BNK2 14B31F1BC3A3 Lock 2019-09-11T13:31:00.000Z""
ObjectId("5d78ab5a671420914e5e13ff") s.bx.subramanian M5-D-6LPLXH2 00FFA0B42AEB Lock 2019-09-11T13:37:00.000Z""
ObjectId("5d78ac00671420914e5e1400") pravin.birajdar P3C-44QMX52 00FFA078688E Lock 2019-09-11T13:35:00.000Z""
ObjectId("5d78accd671420914e5e1401") ruth.sharon.dsilva M5-D-HVLVXJ2 00FFA018762D Lock 2019-09-11T13:39:00.000Z""

0 Karma
Reply

kavyamohan
Explorer
‎10-16-2019 05:06 AM

Sorry is it difficult to find from this? I solved the issue. So Thank you so much

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-15-2019 03:48 AM

Hi kavyamohan,
you can add some events using the Code Sample button, I don't need of manyevents just 8-10 with at least one occurrence of each type.
Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...