I'm looking to set a field value in an event based on field values in another event.
Given the data:
ev=1 req = 1234 sess=875
ev=3 req = 1234
ev=4 req = 3004 sess=875
ev=4 req =3004 sess=673
One of the events does not have the sess field defined, but it has the same req number as an event which does. From this, I am looking to populate the sess field in the event, from which it is missing, and it should become:
ev=1 req = 1234 sess=875
ev=3 req = 1234 sess=875
ev=4 req = 3004 sess=875
ev=4 req =3004 sess=673
as the req match then the sess should be the same.
Any help is appreciated!
@jl23
You can use filldown
also.
https://docs.splunk.com/Documentation/SplunkCloud/7.2.3/SearchReference/Filldown
YOUR_SEARCH | table ev req sess | filldown sess
My Sample Search:
| makeresults | eval data="ev=1 req=1234 sess=875|ev=3 req=1234|ev=4 req=3004 sess=875|ev=4 req=3004 sess=673",data=split(data,"|") | mvexpand data | eval _raw=data | kv | table ev req sess | filldown sess
Thanks
@jl23
Try
"your current search to get events "
|eventstats values(sess) as _tmp by req
|eval sess=coalesce(sess,_tmp)