Solved: How do I access to a value for event and event-1

psiek · ‎04-17-2013

Hi,

I need to display value (string) of a field depending on the value of this field in previous event.
Something like this :

if previous_event.field = "toto" then display current_event.field else display "anomaly"
I've found something interesting with "transatcion" by I can't achieve to do this.

Any help is welcome.

Thanks in advance.

Regards

jonuwz · ‎04-18-2013

autoregress is going to be the simplests solution for you.

i.e.

 somesearch 
 | autoregress myfield as prev_myfield
 | eval display_field=if(prev_myfield=="toto",myfield,"anomoly")

if you need something more advanced than auoregress, streamstats allows you to do "by" clasuses etc.

View solution in original post

jonuwz · ‎04-18-2013

autoregress is going to be the simplests solution for you.

i.e.

 somesearch 
 | autoregress myfield as prev_myfield
 | eval display_field=if(prev_myfield=="toto",myfield,"anomoly")

if you need something more advanced than auoregress, streamstats allows you to do "by" clasuses etc.

psiek · ‎04-18-2013

That does the trick, excellent ! Many thanks.

How do I access to a value for event and event-1

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!