Knowledge Management

How do you append data resulting from a previous search by subtracting 1 from the result in a field?

DeanDeleon0
Path Finder

Hello all,

I am trying take the results of my search and append the results based on that search from the "OID" field.

index=Somewhere sourcetype=Something source=somethingelse Action=Save CurrentState=Closed Comment!=""  
| table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState
| sort -LastModifiedDateTime |eval NewOID = OID - 1 

alt text

As per the example above, I want to take the resulting OID's found and subtract that result and get minus 1 of that (As per NewOID).
Then, I want to take that "newOID" and append it to the current table by searching those as "OID" to display the new results. The result should be similar to the example below. To get these results I manually entered the resulting OID variables.

So if the OID= 5361529, I want to subtract 1 from that and get OID=5361528 and display both results on the same table. I hope this makes sense.

Is there an easy way to do this?

alt text

Thanks,

Dean

Tags (1)
0 Karma
1 Solution

DeanDeleon0
Path Finder
(index=somewhere sourcetype=something source=somethingelse) AND ((Action=Save AND CurrentState=Closed AND Comment="Processed by ChangeGear Mobile.") OR (Action=CommentaryDescription)) NOT CurrentState="In-Progress" NOT CurrentState="Unsubmitted" NOT CurrentState="New" NOT CurrentState="Waiting for Details"  | eventstats count as duplicates by LastModifiedDateTime | where duplicates>1
| table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState 
| sort -LastModifiedDateTime

alt text

I ended up looking at the issue in a different way. I realized that the LastModifiedDateTime entries for these were the exact same timestamps and appear to only occur during the specific conditions I was filtering for. So I ended up going with the changes as per above, where I would find the duplicate timestamps and filter only for those.

View solution in original post

0 Karma

DeanDeleon0
Path Finder
(index=somewhere sourcetype=something source=somethingelse) AND ((Action=Save AND CurrentState=Closed AND Comment="Processed by ChangeGear Mobile.") OR (Action=CommentaryDescription)) NOT CurrentState="In-Progress" NOT CurrentState="Unsubmitted" NOT CurrentState="New" NOT CurrentState="Waiting for Details"  | eventstats count as duplicates by LastModifiedDateTime | where duplicates>1
| table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState 
| sort -LastModifiedDateTime

alt text

I ended up looking at the issue in a different way. I realized that the LastModifiedDateTime entries for these were the exact same timestamps and appear to only occur during the specific conditions I was filtering for. So I ended up going with the changes as per above, where I would find the duplicate timestamps and filter only for those.

0 Karma

Vijeta
Influencer

Do you mean this-

index=Somewhere sourcetype=Something source=somethingelse Action=Save CurrentState=Closed Comment!=""  
 |eval NewOID = OID - 1 | table OID,  NewOID ,CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState
 | sort -LastModifiedDateTime 
0 Karma

DeanDeleon0
Path Finder

Hi Vijeta,

I need to use the results of that (Use "NewOID") to search for the same thing as per the 2nd example. Basically cycle it back into itself to search for OID's with one number down.

As per the 2nd example.

OID=5361529 results in NewOID=5361528. Now I need to search NewOID=5361528 as OID=5361528 so I get a second set of results (basically showing me one row down from the extracted table). I only need it to do this once per original OID found.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...