Hi,
I have a test field with multiple values
A
B
C
D
etc...
in my splunk query I want to iterate over that field and build a new field
A@B
B@C
C@D
etc...
Is there a way to accomplish this?
I tried some different things with eval but not able to build that field.
Thanks in advance
Use streamstats
. This is exactly a use case for it.
Try this assuming your special field is called "MyField" and the new field is "MyField_new"
<YOUR_BASE_SEARCH>
| streamstats last(MyField) as prev
| eval MyField_new = MyFields ."@". prev
| fields - prev
This can also be done with the autoregress
command as follows:
<YOUR_BASE_SEARCH>
| autoregress MyField
| eval MyField_new = MyFields ."@". MyFields_p1
| fields - MyFields_p1
Thank you too
Hi tpirozzi,
could you explain better your need?
Bye.
Giuseppe
Trying to build information for a Sankey Diagram.
Use streamstats
. This is exactly a use case for it.
Try this assuming your special field is called "MyField" and the new field is "MyField_new"
<YOUR_BASE_SEARCH>
| streamstats last(MyField) as prev
| eval MyField_new = MyFields ."@". prev
| fields - prev
Thank you!