Solved: Re: how to update table cell results based on anot...

AKG1_old1 · ‎01-20-2020

Hello,

In search query results some cells populate empty results for specific field. I am looking to update those empty cells based on another row which share same results for another field.

In below table, NICKNAME for some rows are empty. These should be updated same as first 3 rows as they share same NPID and Machine_Name.

NICKNAME = MX (where NPID=43417)
NICKNAME = EPAD_DUPAL_PARALLEL (where NPID=364564)

Thanks

AKG1_old1 · ‎01-22-2020

| streamstats max(NPID) as NPID_P current=false 
| streamstats max(Machine_Name) as Machine_Name_P current=false 
| streamstats max(NICKNAME) as NICKNAME_P current=false reset_before=("$NPID$!=$NPID_P$") reset_after=("$Machine_Name$!=$Machine_Name_P$") reset_on_change=true 
| eval NICKNAME = if(isnull(NICKNAME) AND NPID=NPID_P AND Machine_Name=Machine_Name_P,NICKNAME_P,NICKNAME)

View solution in original post

AKG1_old1 · ‎01-22-2020

| streamstats max(NPID) as NPID_P current=false 
| streamstats max(Machine_Name) as Machine_Name_P current=false 
| streamstats max(NICKNAME) as NICKNAME_P current=false reset_before=("$NPID$!=$NPID_P$") reset_after=("$Machine_Name$!=$Machine_Name_P$") reset_on_change=true 
| eval NICKNAME = if(isnull(NICKNAME) AND NPID=NPID_P AND Machine_Name=Machine_Name_P,NICKNAME_P,NICKNAME)

to4kawa · ‎01-20-2020

|sort 0 NPID, NICKNAME, Machine_Name
| filldown

I think that's enough.

Hi, @agoyal Do you have a problem?

| eval NICKNAME = case(isnull(NICKNAME) AND NPID= 43417, "MX" ,isnull(NICKNAME) AND NPID=364564  ,"EPAD_DUPAL_PARALLEL" ,true(),NICKNAME)

this is terrible.

AKG1_old1 · ‎01-20-2020

thanks but as I mentioned before, NPID, NICKNAME, Machine_Name are not same. there could be hundreds of different value.
And 1st solution will fill wrong values without checking the condition of matching NPID and Machine_Name

to4kawa · ‎01-20-2020

but NPID always is.
I do sort .
If NICKNAME is not all Null with any NPID, filldown is OK. beside there are many NICKNAME, Machine_Name, etc.

Anyway, why don't you create NICKNAME.csv and lookup NPID with OUTPUTNEW .

e.g. NICKNAME.csv

NICKNAME,NPID
MX,43417
EPAD_DUPAL_PARALLEL,364564

it's useful.

AKG1_old1 · ‎01-20-2020

just using filldown won't work for me. NICKNAME, NPID, Machine_Name are not always having same value.

NPID and Machine name should match before updating the empty NICKNAME.

Attached another example in question.

to4kawa · ‎01-20-2020

I see, my answer is updated. please confirm.

how to update table cell results based on another rows sharing common field.

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation