https://community.splunk.com/t5/Splunk-Search/Track-Changes-to-a-field/m-p/672766#M230397 <P>So if you just want to narrow down on the IncidentIds that this occurred on, I thing doing a stats aggregation would be more efficient. Something like this.</P><LI-CODE lang="markup">&lt;base_search&gt; | fields + _time, IncidentId, Description, Status, Severity | sort 0 +_time | stats values(Description) as Description, latest(Status) as Status, dc(Severity) as dc_severity, list(Severity) as Sequence_Severity, earliest(Severity) as Old_Severity, latest(Severity) as New_Severity by IncidentId | where 'dc_severity'&gt;1 | fields - dc_severity</LI-CODE><P>&nbsp;<BR />If you want to retain all of the original events apart of any IncidentId that this occurred on then you could use some sort of combo of streamstats and eventstats (less efficient but more detailed)</P><LI-CODE lang="markup">&lt;base_search&gt; | fields + _time, IncidentId, Description, Status, Severity | sort 0 +IncidentId, -_time | streamstats window=2 earliest(Severity) as Old_Severity, latest(Severity) as New_Severity by IncidentId | eventstats max(eval(if(NOT 'Old_Severity'=='New_Severity', 1, 0))) as status_change by IncidentId | where 'status_change'&gt;0 | fields - status_change</LI-CODE> Wed, 27 Dec 2023 16:36:20 GMT dtburrows3 2023-12-27T16:36:20Z https://community.splunk.com/t5/Splunk-Search/Track-Changes-to-a-field/m-p/672755#M230391 <P>Hello guys<BR /><BR />I need some help with making a table/dashboard that shows me changes to incidents in our Defender platform.<BR />The underlying issue that we see is that Defender sometimes, when an incident is handled by automation, de-escalate the severity of a particular incident.<BR /><BR />So in my index of incidents i want to track for each specific incident that is handled by automation to show me when the severity field changes.&nbsp;<BR /><BR />The table should look something link this.<BR /><BR />IncidentId&nbsp; &nbsp; &nbsp; &nbsp;Description&nbsp; &nbsp; &nbsp; &nbsp;Status&nbsp; &nbsp; Old_Severity&nbsp; &nbsp; &nbsp;New_Severity<BR /><BR /><BR />I don't know whether to use the streamstats or the dedup command. I've been fiddling abit with both but can't seem to get the right output.<BR /><BR />Anyways, hope you can help me out here. If theres something unclear about my question, let me know so i can clarify.<BR /><BR /></P> Wed, 27 Dec 2023 15:35:19 GMT https://community.splunk.com/t5/Splunk-Search/Track-Changes-to-a-field/m-p/672755#M230391 akselsoeb 2023-12-27T15:35:19Z https://community.splunk.com/t5/Splunk-Search/Track-Changes-to-a-field/m-p/672766#M230397 <P>So if you just want to narrow down on the IncidentIds that this occurred on, I thing doing a stats aggregation would be more efficient. Something like this.</P><LI-CODE lang="markup">&lt;base_search&gt; | fields + _time, IncidentId, Description, Status, Severity | sort 0 +_time | stats values(Description) as Description, latest(Status) as Status, dc(Severity) as dc_severity, list(Severity) as Sequence_Severity, earliest(Severity) as Old_Severity, latest(Severity) as New_Severity by IncidentId | where 'dc_severity'&gt;1 | fields - dc_severity</LI-CODE><P>&nbsp;<BR />If you want to retain all of the original events apart of any IncidentId that this occurred on then you could use some sort of combo of streamstats and eventstats (less efficient but more detailed)</P><LI-CODE lang="markup">&lt;base_search&gt; | fields + _time, IncidentId, Description, Status, Severity | sort 0 +IncidentId, -_time | streamstats window=2 earliest(Severity) as Old_Severity, latest(Severity) as New_Severity by IncidentId | eventstats max(eval(if(NOT 'Old_Severity'=='New_Severity', 1, 0))) as status_change by IncidentId | where 'status_change'&gt;0 | fields - status_change</LI-CODE> Wed, 27 Dec 2023 16:36:20 GMT https://community.splunk.com/t5/Splunk-Search/Track-Changes-to-a-field/m-p/672766#M230397 dtburrows3 2023-12-27T16:36:20Z https://community.splunk.com/t5/Splunk-Search/Track-Changes-to-a-field/m-p/672825#M230427 <P>Thank you&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/263242">@dtburrows3</a>&nbsp;<BR />This was exactly what i was looking for.</P> Thu, 28 Dec 2023 09:44:52 GMT https://community.splunk.com/t5/Splunk-Search/Track-Changes-to-a-field/m-p/672825#M230427 akselsoeb 2023-12-28T09:44:52Z