Splunk Search

Can I change the values of a specific column, given certain dates and certain values

HattrickNZ
Motivator

I havea a search that gives me the below:

    _time       A   B   C   D   
1   2016-01-01  1   3   5   7    
2   2016-01-02  1   3   5   7    
3   2016-01-03  1   3   5   7    
4   2016-01-04  1   3   5   7    
5   2016-01-05  1   3   5   7    
6   2016-01-06  1   3   5   7    
7   2016-01-07  1   3   5   7    
8   2016-01-08  1   3   5   7    

Can I change the values of a specific column, lets say column D, from the dates 2016-01-02 to 2016-01-07 to different numbers for each date, for simplicity
lets say 2,3,4,5,6,7?

This way I will get:

    _time       A   B   C   D   
1   2016-01-01  1   3   5   7    
2   2016-01-02  1   3   5   2    
3   2016-01-03  1   3   5   3    
4   2016-01-04  1   3   5   4    
5   2016-01-05  1   3   5   5    
6   2016-01-06  1   3   5   6    
7   2016-01-07  1   3   5   7    
8   2016-01-08  1   3   5   7

I have asked a similar question like this before here -
https://answers.splunk.com/answers/233206/how-to-control-values-of-a-field-relative-to-the-v.html

which involves eval tcheck=strptime("2015-04-29","%F") | eval test=if(_time<=tcheck,450,600) which I think I could use but it might become a bit verbose.
Can anyone advise if there is a better way?

Tags (4)
0 Karma
1 Solution

HattrickNZ
Motivator

the answer i ma looking for is, (one for each day, very verbose)

 eval tcheck=strptime("2016-01-02","%F") | eval D=if(_time==tcheck,2,D)

if there is spaces in your fields names:

 eval tcheck=strptime("2016-01-02","%F") | eval "A bcd"=if(_time==tcheck,2,'A bcd')

note, you will have to drop fields accordingly...

View solution in original post

0 Karma

HattrickNZ
Motivator

the answer i ma looking for is, (one for each day, very verbose)

 eval tcheck=strptime("2016-01-02","%F") | eval D=if(_time==tcheck,2,D)

if there is spaces in your fields names:

 eval tcheck=strptime("2016-01-02","%F") | eval "A bcd"=if(_time==tcheck,2,'A bcd')

note, you will have to drop fields accordingly...

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you have specific pattern of new values which will overwrite the column D for that date range? If there is a pattern, there could be a shortcut to do that but if those new values are hard-coded values with no patter, then a giant case statement is the only option.

0 Karma

HattrickNZ
Motivator

fraid not, don't think there is a pattern, if you have the time could you indulge me with an answer , one without a pattern and one with a pattern.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...