Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Propagate value between table rows using streamstats

segantinro
Engager
‎05-31-2022 09:03 AM

I have a table like this:

sc1.png

 

 

 

 

 

I would like to propagate "start" value and "end" value if "_time>=start AND _time<end".

It's like a "transaction" with "startwith and endwith", but I need to use "streamstats", because I can't lost event details.

So I would like to obtain:

sc2.png

 

 

 

 

 

 

Thanks

Labels (2)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-31-2022 09:27 AM

Given the limited example of what you are trying to do, can you do something with eventstats

| eventstats values(start) as start values(end) as end
| eval start=if(_time>=start AND _time <= end, start, null())
| eval end=if(_time>=start AND _time <= end, end, null())
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...