Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to check a value of a field in a subsequent event?

wsadowy1
Explorer
‎09-16-2016 04:50 AM

I was wondering if it is possible to check what's the value of a field in the next event.
Say I have an index with a field called "shift_start".
I would like to create an eval field called "next_shift_start" which would contain the shift_start value from the subsequent event.
I hope this makes sense.
Thanks in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎09-16-2016 06:51 AM

You need the autoregress command:

https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Autoregress

Reply
Solved! Jump to solution

wsadowy1
Explorer
‎09-16-2016 07:18 AM

Brilliant! However for some reason it gives me a previous value in one field and a next value in another. Namely - it will give me the previous shift_start, but subsequent log_date_time. Not sure why

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎09-16-2016 07:21 AM

It all depends on the settings.

0 Karma
Reply
Solved! Jump to solution

inventsekar
SplunkTrust
SplunkTrust
‎09-16-2016 05:07 AM

A logon script generates an event every time a user logs into the desktop. Here are the sample events in Splunk from those events -

user_A;05/10/13 10:15:01 AM;field1="cat";field2="mouse"
user_B;05/10/13 09:01:01 AM;field1="cat";field2="mouse"
user_A;05/09/13 09:05:01 AM;field1="mouse";field2="horse"
user_B;05/09/13 09:01:01 AM;field1="cat";field2="mouse"
user_A;05/08/13 11:05:01 AM;field1="mouse";field2="horse"

I want to be able to generate a report when "field1" changes per user, even compared to the last event. In this case I want a report that lists the event "user_A;05/10/13 10:15:01 AM;field1="cat";field2="mouse". Any help would be appreciated.

you base search | streamstats current=f window=1 global=f last(field1) as last_field1 by user | where field1!=last_field1

https://answers.splunk.com/answers/87382/comparing-fields-with-previous-events.html

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎09-16-2016 04:58 AM

Try this

your base search | streamstats window=1 current=f values(shift_start) as next_shift_start by employee

http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Streamstats

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...