splunk eval row with last field

jaxob01 · ‎09-05-2018

Hello Splunkers

i requiered eval the last field with current row.

example:

field 1 ...... field2.........field3........................................................................result
1..................1..............(field1+field2)...........................................................field3
3..................4..............(last_field3 + current field1) - current field2) ... current field3
7..................2..............(last_field3 + current field1) - current field2) ... current field3

numeric example

field 1 ...... field2.........field3...........................result
1..................1..............(1+1)...............................2
3..................4..............(2 + 3) - 4) ..................... 1
7..................2..............(1 + 7) - 2) ......................6

thanks!!!

FrankVl · ‎09-06-2018

I thought I had an idea how to solve this:

| makeresults 
| eval field1 = 1 
| eval field2 = 1 
| eval field3 = field1+field2 
| append [
| makeresults 
| eval field1 = 3 
| eval field2 = 4 
]
| append [
| makeresults 
| eval field1 = 7 
| eval field2 = 2 
]
| fields - _time
| eval field3 = coalesce(field3,field1-field2)
| streamstats window=2 sum(field3) as field3

But it seems streamstats (even though it is configured to write the sum back into field3) takes the original field3 values, rather than those from after streamstats was applied to the previous event.

So not sure how you can do such a 'recursive' eval. Still posting this as it might inspire others to come up with something that does work.

splunk eval row with last field

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...