- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I change the values of a specific column, give...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I havea a search that gives me the below:
_time A B C D
1 2016-01-01 1 3 5 7
2 2016-01-02 1 3 5 7
3 2016-01-03 1 3 5 7
4 2016-01-04 1 3 5 7
5 2016-01-05 1 3 5 7
6 2016-01-06 1 3 5 7
7 2016-01-07 1 3 5 7
8 2016-01-08 1 3 5 7
Can I change the values of a specific column, lets say column D, from the dates 2016-01-02 to 2016-01-07 to different numbers for each date, for simplicity
lets say 2,3,4,5,6,7?
This way I will get:
_time A B C D
1 2016-01-01 1 3 5 7
2 2016-01-02 1 3 5 2
3 2016-01-03 1 3 5 3
4 2016-01-04 1 3 5 4
5 2016-01-05 1 3 5 5
6 2016-01-06 1 3 5 6
7 2016-01-07 1 3 5 7
8 2016-01-08 1 3 5 7
I have asked a similar question like this before here -
https://answers.splunk.com/answers/233206/how-to-control-values-of-a-field-relative-to-the-v.html
which involves eval tcheck=strptime("2015-04-29","%F") | eval test=if(_time<=tcheck,450,600) which I think I could use but it might become a bit verbose.
Can anyone advise if there is a better way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the answer i ma looking for is, (one for each day, very verbose)
eval tcheck=strptime("2016-01-02","%F") | eval D=if(_time==tcheck,2,D)
if there is spaces in your fields names:
eval tcheck=strptime("2016-01-02","%F") | eval "A bcd"=if(_time==tcheck,2,'A bcd')
note, you will have to drop fields accordingly...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the answer i ma looking for is, (one for each day, very verbose)
eval tcheck=strptime("2016-01-02","%F") | eval D=if(_time==tcheck,2,D)
if there is spaces in your fields names:
eval tcheck=strptime("2016-01-02","%F") | eval "A bcd"=if(_time==tcheck,2,'A bcd')
note, you will have to drop fields accordingly...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have specific pattern of new values which will overwrite the column D for that date range? If there is a pattern, there could be a shortcut to do that but if those new values are hard-coded values with no patter, then a giant case statement is the only option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
fraid not, don't think there is a pattern, if you have the time could you indulge me with an answer , one without a pattern and one with a pattern.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
