Solved: Re: How do you append data resulting from a previo...

DeanDeleon0 · ‎10-30-2018

Hello all,

I am trying take the results of my search and append the results based on that search from the "OID" field.

index=Somewhere sourcetype=Something source=somethingelse Action=Save CurrentState=Closed Comment!=""  
| table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState
| sort -LastModifiedDateTime |eval NewOID = OID - 1

As per the example above, I want to take the resulting OID's found and subtract that result and get minus 1 of that (As per NewOID).
Then, I want to take that "newOID" and append it to the current table by searching those as "OID" to display the new results. The result should be similar to the example below. To get these results I manually entered the resulting OID variables.

So if the OID= 5361529, I want to subtract 1 from that and get OID=5361528 and display both results on the same table. I hope this makes sense.

Is there an easy way to do this?

Thanks,

Dean

DeanDeleon0 · ‎11-15-2018

(index=somewhere sourcetype=something source=somethingelse) AND ((Action=Save AND CurrentState=Closed AND Comment="Processed by ChangeGear Mobile.") OR (Action=CommentaryDescription)) NOT CurrentState="In-Progress" NOT CurrentState="Unsubmitted" NOT CurrentState="New" NOT CurrentState="Waiting for Details"  | eventstats count as duplicates by LastModifiedDateTime | where duplicates>1
| table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState 
| sort -LastModifiedDateTime

I ended up looking at the issue in a different way. I realized that the LastModifiedDateTime entries for these were the exact same timestamps and appear to only occur during the specific conditions I was filtering for. So I ended up going with the changes as per above, where I would find the duplicate timestamps and filter only for those.

View solution in original post

DeanDeleon0 · ‎11-15-2018

(index=somewhere sourcetype=something source=somethingelse) AND ((Action=Save AND CurrentState=Closed AND Comment="Processed by ChangeGear Mobile.") OR (Action=CommentaryDescription)) NOT CurrentState="In-Progress" NOT CurrentState="Unsubmitted" NOT CurrentState="New" NOT CurrentState="Waiting for Details"  | eventstats count as duplicates by LastModifiedDateTime | where duplicates>1
| table OID, CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState 
| sort -LastModifiedDateTime

I ended up looking at the issue in a different way. I realized that the LastModifiedDateTime entries for these were the exact same timestamps and appear to only occur during the specific conditions I was filtering for. So I ended up going with the changes as per above, where I would find the duplicate timestamps and filter only for those.

Vijeta · ‎10-30-2018

Do you mean this-

index=Somewhere sourcetype=Something source=somethingelse Action=Save CurrentState=Closed Comment!=""  
 |eval NewOID = OID - 1 | table OID,  NewOID ,CreatedDateTime, LastModifiedDateTime, Requester, TicketID, Action, Comment , Creator, CurrentState
 | sort -LastModifiedDateTime

DeanDeleon0 · ‎10-31-2018

Hi Vijeta,

I need to use the results of that (Use "NewOID") to search for the same thing as per the 2nd example. Basically cycle it back into itself to search for OID's with one number down.

As per the 2nd example.

OID=5361529 results in NewOID=5361528. Now I need to search NewOID=5361528 as OID=5361528 so I get a second set of results (basically showing me one row down from the extracted table). I only need it to do this once per original OID found.

How do you append data resulting from a previous search by subtracting 1 from the result in a field?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!