First, thanks for clearly illustrating raw input, desired output, and the logic to get from there. Transaction is still the easiest way to go. You just need to keep track of which value is which ev...
See more...
First, thanks for clearly illustrating raw input, desired output, and the logic to get from there. Transaction is still the easiest way to go. You just need to keep track of which value is which eventtype. Many people here are familiar with the traditional technique of using string concatenation. I will show a more semantic approach afforded by JSON functions introduced in 8.1. | rename _raw as temp ``` only if you want to preserve _raw for later ```
| tojson eventtype, field1
| transaction startswith="eventtype=get" endswith="eventtype=update"
| eval _raw = split(_raw, "
")
| eval Before = json_extract(mvindex(_raw, 0), "field1"), After = json_extract(mvindex(_raw, 1), "field1")
| rename temp as _raw ``` only if you want to preserve _raw for later ```
| fields Before, After Note: The above is not completely semantic as I am also using the side effect of Splunk's default of lexical order. Here is an emulation for you to play with and compare with real data. | makeresults format=csv data="_time, eventtype, sessionid, field1
10:06, update, session2, newvalue3
10:05, get, session2, newvalue2
09:15, update, session1, newvalue2
09:12, get, session1, newvalue1
09:10, get, session1, newvalue1
09:09, update, session1, newvalue1
09:02, get, session1, oldvalue1
09:01, get, session1, oldvalue1
08:59, get, session1, oldvalue1"
| eval _time = strptime("2024-08-22T" . _time, "%FT%H:%M")
``` data emulation above ``` Output from the above search gives Before After _time newvalue2 newvalue3 2024-08-22 10:05:00 newvalue1 newvalue2 2024-08-22 09:12:00 oldvalue1 newvalue1 2024-08-22 09:02:00