Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I get this field value in my table?

tkwaller_2
Communicator
‎02-16-2018 01:38 PM

Hello
Im trying to get the contents of a field
What I am wanting is the date from a field called "Past Due Step Due Date" where the field "Workflow Step Sort Order" = 4 if the field cumulativePastDueDays2 is greater than 0, call the new field OverallDateDue

"Name"     "Workflow Step Sort Order"      "Past Due Step Due Date"     "cumulativePastDueDays2"
A     0    2018-02-15 20:38:10.154000      1
B     1    2018-03-01 20:38:10.154000
C     2    2018-03-08 20:38:10.154000
D     3    2018-03-15 20:38:10.154000
E     4    2018-03-22 20:38:10.154000

As an example I would like to return a table like this using the above table:

    "Name"     "cumulativePastDueDays2"      "OverallDateDue"
    A     1     2018-03-22 20:38:10.154000
0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-16-2018 02:03 PM

If I understand that correctly and you have the data coming from your base search as it appears above, then this should work.

... | search "Workflow Step Sort Order"=4 cumulativePastDueDays2>0 | rename "Past Due Step Due Date" as OverallDateDue | table Name, cumulativePastDueDays2, OverallDateDue
0 Karma
Reply

tkwaller_2
Communicator
‎02-16-2018 02:17 PM

Is there a way to do this in an eval? I cant re-search as there a re a ton of other fields, just trying to add this one in to the rest of the table.
Honestly if I could just display the OverallDateDue thats all I really need

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎02-16-2018 02:50 PM

Yes, BUT you will have to change the field names to not have spaces in them:

... | eval OverallDateDue=if(WorkflowStepSortOrder"==4 AND cumulativePastDueDays2>0 , PastDueStepDueDate ,"")
Reply

tkwaller_2
Communicator
‎02-18-2018 08:36 AM

Had to go about this a different way as the above wont work because, for example:
event A has a Sort Order of 0 and a due date of 2018-02-15 20:38:10.154000. Since its past due it gets a value of how many days late it is, in this case 1. In the table I am trying to get it to have the value of Sort Order 4 field "Past Due Step Due Date", which we would call OverallDateDue.

So what I did was
| eval OverallDateDue=if(cumulativePastDueDays > 0 , ProcessDueDate ,"")

Good answer above, could move that to answer, thanks for the help!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...