Solved: In a search, Is there an alternative for the event...

patricianaguit · ‎09-26-2018

I need to find another way instead of eventstats for my search.

Is there a way where I can tag the events and add another field based on hierarchy other than eventstats?

For example
Id 1 has different initial tags (A,B,C, and D) since A is the highest, the final tag should be "A"

ID   |                InitialTag               |  FinalTag
1                        A                            A
1                        B                            A
1                        C                            A
1                        D                            A

Tag Ranks:
A
B
C
D

harishalipaka · ‎09-26-2018

hi @patricianaguit

Can you try this

you can use streamstats
or

 |stats values(InitalTag) by ID

Thanks
Harish

View solution in original post

harishalipaka · ‎09-26-2018

hi @patricianaguit

Can you try this

you can use streamstats
or

 |stats values(InitalTag) by ID

Thanks
Harish

patricianaguit · ‎10-03-2018

thank you!

In a search, Is there an alternative for the eventstats command?

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University

Are you a member of the Splunk Community?

In a search, Is there an alternative for the eventstats command?

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

A Prelude to .conf25: Your Guide to Splunk University