Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a column/field based on the max or value of another column

HattrickNZ
Motivator
‎05-17-2018 08:30 PM

This is my sample search and corresponding output:

 | makeresults 
    | eval data = "
    1    2017-12    A    155749    131033    84.1;
   2    2017-12    B    24869    23627    95;
   3    2017-12    C    117618    117185    99.6;
   " 
    | makemv delim=";" data 
    | mvexpand data
    | rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
    | fields + date serial type attempts successfullAttempts sr 
    | rename date as _time 
    | search serial=*
| eval Q=attempts
| eval Q=if(Q==24869,"",Q)
| eval Q=if(Q==117618,"",Q)

OUTPUT

    _time   serial  type    attempts    successfullAttempts sr  Q
1   2017-12 1   A   155749  131033  84  155749
2   2017-12 2   B   24869   23627   95  
3   2017-12 3   C   117618  117185  99

I want to be able to get the value of Q(e.g. 155749 ) and create a new field called W but all the values of W would be 155749. Basically, fill out all the values in W with one value and that value being 155749, the max of Q in this case.

Sample Output of what I would like 

    _time   serial  type    attempts    successfullAttempts sr  Q   W
1   2017-12 1   A   155749  131033  84  155749   155749
2   2017-12 2   B   24869   23627   95             155749
3   2017-12 3   C   117618  117185  99           155749

I was thinking of doing ... | eval W=max(Q) but that won't work but hopefully helps understand what I am trying to do.
maybe I need to use streamstats or other. I couldn't quite get it. Maybe I need a for loop? advice appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-17-2018 09:41 PM

@HattrickNZ add the following as your final pipe:

 <yourCurrentSearch>
| eventstats max(Q) as W
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-17-2018 09:41 PM

@HattrickNZ add the following as your final pipe:

 <yourCurrentSearch>
| eventstats max(Q) as W
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

p_gurav
Champion
‎05-17-2018 09:39 PM

Can you try this:

| makeresults 
     | eval data = "
     1    2017-12    A    155749    131033    84.1;
    2    2017-12    B    24869    23627    95;
    3    2017-12    C    117618    117185    99.6;
    " 
     | makemv delim=";" data 
     | mvexpand data
     | rex field=data "(?<serial>\d)\s+(?<date>\d+-\d+)\s+(?<type>\w)\s+(?<attempts>\d+)\s+(?<successfullAttempts>\d+)\s+(?<sr>\d+)"
     | fields + date serial type attempts successfullAttempts sr 
     | rename date as _time 
     | search serial=*
 | eval Q=attempts
 | eval Q=if(Q==24869,"",Q)
 | eval Q=if(Q==117618,"",Q)
 | eventstats max(Q) AS W
Reply
Solved! Jump to solution

niketn
Legend
‎05-20-2018 10:54 PM

@HattrickNZ if your issue is resolved, please accept @p_gurav 's answer as he had beaten me to it 😉

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...