Knowledge Management

How do you append data resulting from a previous search by subtracting 1 from the result in a field?

DeanDeleon0
Path Finder

Hello all,

I am trying take the results of my search and append the results based on that search from the "OID" field.

index=Somewhere sourcetype=Something source=somethingelse Action=Save CurrentState=Closed Comment!=""  
| table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState
| sort -LastModifiedDateTime |eval NewOID = OID - 1 

alt text

As per the example above, I want to take the resulting OID's found and subtract that result and get minus 1 of that (As per NewOID).
Then, I want to take that "newOID" and append it to the current table by searching those as "OID" to display the new results. The result should be similar to the example below. To get these results I manually entered the resulting OID variables.

So if the OID= 5361529, I want to subtract 1 from that and get OID=5361528 and display both results on the same table. I hope this makes sense.

Is there an easy way to do this?

alt text

Thanks,

Dean

Tags (1)
0 Karma
1 Solution

DeanDeleon0
Path Finder
(index=somewhere sourcetype=something source=somethingelse) AND ((Action=Save AND CurrentState=Closed AND Comment="Processed by ChangeGear Mobile.") OR (Action=CommentaryDescription)) NOT CurrentState="In-Progress" NOT CurrentState="Unsubmitted" NOT CurrentState="New" NOT CurrentState="Waiting for Details"  | eventstats count as duplicates by LastModifiedDateTime | where duplicates>1
| table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState 
| sort -LastModifiedDateTime

alt text

I ended up looking at the issue in a different way. I realized that the LastModifiedDateTime entries for these were the exact same timestamps and appear to only occur during the specific conditions I was filtering for. So I ended up going with the changes as per above, where I would find the duplicate timestamps and filter only for those.

View solution in original post

0 Karma

DeanDeleon0
Path Finder
(index=somewhere sourcetype=something source=somethingelse) AND ((Action=Save AND CurrentState=Closed AND Comment="Processed by ChangeGear Mobile.") OR (Action=CommentaryDescription)) NOT CurrentState="In-Progress" NOT CurrentState="Unsubmitted" NOT CurrentState="New" NOT CurrentState="Waiting for Details"  | eventstats count as duplicates by LastModifiedDateTime | where duplicates>1
| table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState 
| sort -LastModifiedDateTime

alt text

I ended up looking at the issue in a different way. I realized that the LastModifiedDateTime entries for these were the exact same timestamps and appear to only occur during the specific conditions I was filtering for. So I ended up going with the changes as per above, where I would find the duplicate timestamps and filter only for those.

0 Karma

Vijeta
Influencer

Do you mean this-

index=Somewhere sourcetype=Something source=somethingelse Action=Save CurrentState=Closed Comment!=""  
 |eval NewOID = OID - 1 | table OID,  NewOID ,CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState
 | sort -LastModifiedDateTime 
0 Karma

DeanDeleon0
Path Finder

Hi Vijeta,

I need to use the results of that (Use "NewOID") to search for the same thing as per the 2nd example. Basically cycle it back into itself to search for OID's with one number down.

As per the 2nd example.

OID=5361529 results in NewOID=5361528. Now I need to search NewOID=5361528 as OID=5361528 so I get a second set of results (basically showing me one row down from the extracted table). I only need it to do this once per original OID found.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...