- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to check a value of a field in a subsequen...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was wondering if it is possible to check what's the value of a field in the next event.
Say I have an index with a field called "shift_start".
I would like to create an eval field called "next_shift_start" which would contain the shift_start value from the subsequent event.
I hope this makes sense.
Thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need the autoregress command:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Autoregress
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need the autoregress command:
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Autoregress
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Brilliant! However for some reason it gives me a previous value in one field and a next value in another. Namely - it will give me the previous shift_start, but subsequent log_date_time. Not sure why
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It all depends on the settings.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A logon script generates an event every time a user logs into the desktop. Here are the sample events in Splunk from those events -
user_A;05/10/13 10:15:01 AM;field1="cat";field2="mouse"
user_B;05/10/13 09:01:01 AM;field1="cat";field2="mouse"
user_A;05/09/13 09:05:01 AM;field1="mouse";field2="horse"
user_B;05/09/13 09:01:01 AM;field1="cat";field2="mouse"
user_A;05/08/13 11:05:01 AM;field1="mouse";field2="horse"
I want to be able to generate a report when "field1" changes per user, even compared to the last event. In this case I want a report that lists the event "user_A;05/10/13 10:15:01 AM;field1="cat";field2="mouse". Any help would be appreciated.
you base search | streamstats current=f window=1 global=f last(field1) as last_field1 by user | where field1!=last_field1
https://answers.splunk.com/answers/87382/comparing-fields-with-previous-events.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search | streamstats window=1 current=f values(shift_start) as next_shift_start by employee
http://docs.splunk.com/Documentation/Splunk/6.4.3/SearchReference/Streamstats
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
