I'm new to splunk and I'm asking for help.
I will give an example as below. if event_id or orig_event are the same, count them I want to lookup event_id for case not 3.
Therefore, in this case, the count of event_id 7 is 2, not 3, so 7 should be the lookup.
could you possibly help me?
[data table]
index | type | event_id | orig_event_id |
A | a | 1 | |
A | b | 1 | |
B | c | 1 | |
A | a | 3 | |
A | b | 3 | |
B | c | 3 | |
A | a | 5 | |
A | b | 5 | |
B | c | 5 | |
A | a | 7 | |
A | b | 7 |
[result]
A | a | 7 | |
A | b | 7 |
Not sure if this is what you are after as your description does quite tally with your example
| stats count(eval(event_id == orig_event_id)) as count by index type
Are you just after the last event_id and orig_event_id by index and type?
| stats last(event_id) as event_id last(orig_event_id) as orig_event_id by index type