Splunk Search

How can I get this field value in my table?

tkwaller_2
Communicator

Hello
Im trying to get the contents of a field
What I am wanting is the date from a field called "Past Due Step Due Date" where the field "Workflow Step Sort Order" = 4 if the field cumulativePastDueDays2 is greater than 0, call the new field OverallDateDue

"Name"     "Workflow Step Sort Order"      "Past Due Step Due Date"     "cumulativePastDueDays2"
A     0    2018-02-15 20:38:10.154000      1
B     1    2018-03-01 20:38:10.154000
C     2    2018-03-08 20:38:10.154000
D     3    2018-03-15 20:38:10.154000
E     4    2018-03-22 20:38:10.154000

As an example I would like to return a table like this using the above table:

    "Name"     "cumulativePastDueDays2"      "OverallDateDue"
    A     1     2018-03-22 20:38:10.154000
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

If I understand that correctly and you have the data coming from your base search as it appears above, then this should work.

... | search "Workflow Step Sort Order"=4 cumulativePastDueDays2>0 | rename "Past Due Step Due Date" as OverallDateDue | table Name, cumulativePastDueDays2, OverallDateDue
0 Karma

tkwaller_2
Communicator

Is there a way to do this in an eval? I cant re-search as there a re a ton of other fields, just trying to add this one in to the rest of the table.
Honestly if I could just display the OverallDateDue thats all I really need

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Yes, BUT you will have to change the field names to not have spaces in them:

... | eval OverallDateDue=if(WorkflowStepSortOrder"==4 AND cumulativePastDueDays2>0 , PastDueStepDueDate ,"")

tkwaller_2
Communicator

Had to go about this a different way as the above wont work because, for example:
event A has a Sort Order of 0 and a due date of 2018-02-15 20:38:10.154000. Since its past due it gets a value of how many days late it is, in this case 1. In the table I am trying to get it to have the value of Sort Order 4 field "Past Due Step Due Date", which we would call OverallDateDue.

So what I did was
| eval OverallDateDue=if(cumulativePastDueDays > 0 , ProcessDueDate ,"")

Good answer above, could move that to answer, thanks for the help!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...