Consider, i have two files. File1 and File2
File1 and File2 got indexed last month with events in file1 say A ,B and events in file2 say C,D .
They again got indexed today, file1 with same events A and B but file2 with C,D,E,F. This means that file2 modified version has different events as compared to it's last version.
Now , i need to display in the panel all files like file2 whose current events are different from last events.
Thanks in advance!
Count the events by type and month, where there is only one e.g. E and F, these are new events.
Can any code be provided? Below is my dashboard, might be useful for reference. 1st panel has the different version of files and 2nd panel has the unique events in each . Any help?
Not tremendously helpful since it isn't clear where Events have come from or whether InvVersion represents the different months, but assuming Events is a collection of Events and InvVersion are the different months, then
| stats count values(InvVersion) as InvVersion by Events File
| where count=1
Your assumptions are correct but the 2nd panel is dependent on the 1st panel. when i click the file in 1st panel, the 2nd one gets display by drilldown. The view you are seeing in 2nd panel is of unique events of one file in different versions. Now from this , there are numerous files with such differences. Some have unique events, some don't . How can i display the name of files who have different events in the versions?
For simplicity , instead of taking 4 versions of a file(as in my dashboard which a shared the pic) , lets assume there are only two versions.
It is not clear whether the events are unique within each file for each version so assuming they aren't you can count them and ignore the count, then count the number of versions each combination of event and file there are. Any with this second count as 1 only occurs in one of the file versions
| stats count by InvVersion Events File
| stats count by Events File
| where count=1
| dedup File
| table File
Panel 2 displays the Events unique in each version of a file . i.e count=1 of _raw in each version of file.
I need the names of all the files whose versions have unique events . i.e if first version of file1 has A B and second version has A C , and file2 has A and B in both events then file1 should be my answer.
Have you tried my suggestion? Here is a runanywhere version to show it working with the data you suggested
| makeresults
| eval _raw="InvVersion,File,Events
1,file1,A
1,file1,B
2,file1,A
2,file1,C
1,file2,A
1,file2,B
2,file2,A
2,file2,B"
| multikv forceheader=1
| fields - _* linecount
| stats count by InvVersion Events File
| stats count by Events File
| where count=1
| dedup File
| table File
The solution which you suggested, where can i put this in my code but it's not working for some files like
here the pas.csv has a different event in a version but the name of this file is not displayed in output
Replace line 5-7 with
| stats count by InvVersion path file
| stats count by path file
| where count=1
| dedup file
| table file
This is displaying the names of all files , not the files only with different events
Try this - I was not taking into account multiple copies of the different versions
| eval path=trim(path)
| eval file=trim(file)
| stats count by InvVersion path file
| stats count by path file
| stats dc(count) as versions by file
| where versions>1
| dedup file
| table file
Also, is it possible that either or both path and file have trailing spaces?
No results displayed
NO trailing spaces
Remove lines 7 and 8 - they were from setting up sample data, not part of the solution
Still no output sir
Remove line 7
Still no output sir. What is the logic of |ine 10?
Another approach
| makeresults
| eval _raw="InvVersion,File,Events
1,file1,A B
2,file1,A B
3,file1,A B C
4,file1,A B C
1,file2,M N
2,file2,M N
3,file2,M O
4,file2,M P
1,file3,A
1,file3,B
2,file3,A
2,file3,B
3,file3,A
3,file3,B
3,file3,C
4,file3,A
4,file3,B
4,file3,C
1,file4,M N
2,file4,M N
3,file4,M N
4,file4,M N
1,file5,M
1,file5,N
2,file5,M
2,file5,N
3,file5,M
3,file5,N
4,file5,M
4,file5,N"
| multikv forceheader=1
| fields - _* linecount
| stats count by InvVersion Events File
| eventstats dc(InvVersion) as versions by File
| stats values(versions) as versions count by Events File
| where versions>count
| dedup File
| table File
No output for the exact same . Did you get the output?
What does your search look like now?
I tried with my use case (little unique), with a single line modification , and it's working. And your code is also working. Thanks a ton.