Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a column/field based on the max or value of another column

HattrickNZ
Motivator
‎05-17-2018 08:30 PM

This is my sample search and corresponding output:

 | makeresults 
    | eval data = "
    1    2017-12    A    155749    131033    84.1;
   2    2017-12    B    24869    23627    95;
   3    2017-12    C    117618    117185    99.6;
   " 
    | makemv delim=";" data 
    | mvexpand data
    | rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
    | fields + date serial type attempts successfullAttempts sr 
    | rename date as _time 
    | search serial=*
| eval Q=attempts
| eval Q=if(Q==24869,"",Q)
| eval Q=if(Q==117618,"",Q)

OUTPUT

    _time   serial  type    attempts    successfullAttempts sr  Q
1   2017-12 1   A   155749  131033  84  155749
2   2017-12 2   B   24869   23627   95  
3   2017-12 3   C   117618  117185  99

I want to be able to get the value of Q(e.g. 155749 ) and create a new field called W but all the values of W would be 155749. Basically, fill out all the values in W with one value and that value being 155749, the max of Q in this case.

Sample Output of what I would like 

    _time   serial  type    attempts    successfullAttempts sr  Q   W
1   2017-12 1   A   155749  131033  84  155749   155749
2   2017-12 2   B   24869   23627   95             155749
3   2017-12 3   C   117618  117185  99           155749

I was thinking of doing ... | eval W=max(Q) but that won't work but hopefully helps understand what I am trying to do.
maybe I need to use streamstats or other. I couldn't quite get it. Maybe I need a for loop? advice appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-17-2018 09:41 PM

@HattrickNZ add the following as your final pipe:

 <yourCurrentSearch>
| eventstats max(Q) as W
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-17-2018 09:41 PM

@HattrickNZ add the following as your final pipe:

 <yourCurrentSearch>
| eventstats max(Q) as W
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

p_gurav
Champion
‎05-17-2018 09:39 PM

Can you try this:

| makeresults 
     | eval data = "
     1    2017-12    A    155749    131033    84.1;
    2    2017-12    B    24869    23627    95;
    3    2017-12    C    117618    117185    99.6;
    " 
     | makemv delim=";" data 
     | mvexpand data
     | rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
     | fields + date serial type attempts successfullAttempts sr 
     | rename date as _time 
     | search serial=*
 | eval Q=attempts
 | eval Q=if(Q==24869,"",Q)
 | eval Q=if(Q==117618,"",Q)
 | eventstats max(Q) AS W
Reply
Solved! Jump to solution

niketn
Legend
‎05-20-2018 10:54 PM

@HattrickNZ if your issue is resolved, please accept @p_gurav 's answer as he had beaten me to it 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...