Splunk Search

how to get the next value in a column

kavyamohan
Explorer

I have values like this in a column.
Lock
Unlock
Logon
Shutdown

I want to get the next value and check it with the previous value. i.e If the previous session is lock and next session is unlock the total utilization is 0. I need to do some calculation like this. How to get the next values?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi kavyamohan,
could you share your search and eventually a sample of your logs?

Ciao.
Giuseppe

0 Karma

kavyamohan
Explorer

I don't have enough Karma points to share my csv. But I can share the code am using.
index="event"
| eval SessionTime_epoch = strptime(SessionTime, "%Y-%m-%d %H:%M:%S")
| eval a=SessionTime_epoch."@".Session."@".SessionTime
| sort SessionTime
| streamstats current=t window=2 first(Session) as prev_session last(Session) as nxt first(SessionTime_epoch) as prev_time by Username
|table prev_session nxt.

The savedsearch has nothing but join query to join two csv files

0 Karma

kavyamohan
Explorer

_id Username AG IG Project SystemName Macaddress Session SessionTime
ObjectId("5d78a01644d96e922597d9d3") deepak.kr.ram P2B-H7QWXC2 00059A3C7A00 Lock 2019-09-11T10:57:00.000Z""

ObjectId("5d78a03a44d96e922597d9db") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Lock 2019-09-11T12:45:00.000Z""
ObjectId("5d78a03a44d96e922597d9dc") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Unlock 2019-09-11T12:45:00.000Z""
ObjectId("5d78a03a44d96e922597d9dd") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Lock 2019-09-11T12:47:00.000Z""
ObjectId("5d78a385d58589493939d9f1") nitin.suri Products LOBLAW COMPANIES LTD SAP-AM-Support BDC6-D-69T5NK2 14B31F1034C5 Unlock 2019-09-11T13:02:00.000Z""
ObjectId("5d78a715925ad595ab4d3b4b") saurav.subir.nandi HPS UK ROYAL MAIL Supply chain Visibility - AO - SEZ M5-D-6L0BNK2 14B31F0E342D Lock 2019-09-11T13:15:00.000Z""
ObjectId("5d78a742925ad595ab4d3b4c") abigail.mariam.anil M5-D-HXSNXJ2 00FFA01833EB Unlock 2019-09-11T13:10:00.000Z""
ObjectId("5d78a904671420914e5e13fc") s.bx.subramanian M5-D-6LPLXH2 00FFA0B42AEB Unlock 2019-09-11T13:23:00.000Z""
ObjectId("5d78a96c671420914e5e13fd") saurav.subir.nandi HPS UK ROYAL MAIL Supply chain Visibility - AO - SEZ M5-D-6L0BNK2 14B31F0E342D Unlock 2019-09-11T13:25:00.000Z""
ObjectId("5d78aa2a671420914e5e13fe") suren.kd HPS AETNA Aetna - Consumer Platform CDC2-D-754BNK2 14B31F1BC3A3 Lock 2019-09-11T13:31:00.000Z""
ObjectId("5d78ab5a671420914e5e13ff") s.bx.subramanian M5-D-6LPLXH2 00FFA0B42AEB Lock 2019-09-11T13:37:00.000Z""
ObjectId("5d78ac00671420914e5e1400") pravin.birajdar P3C-44QMX52 00FFA078688E Lock 2019-09-11T13:35:00.000Z""
ObjectId("5d78accd671420914e5e1401") ruth.sharon.dsilva M5-D-HVLVXJ2 00FFA018762D Lock 2019-09-11T13:39:00.000Z""

0 Karma

kavyamohan
Explorer

Sorry is it difficult to find from this? I solved the issue. So Thank you so much

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi kavyamohan,
you can add some events using the Code Sample button, I don't need of manyevents just 8-10 with at least one occurrence of each type.
Ciao.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...