Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

condition command to merge events

antonio147
Communicator
‎05-05-2021 07:55 AM

Hi all,
I performed an initial search, to this I added a second search, with the map command, where based on the values of the OLD field, it performs the search on the same index.

index=summary
| search PRATICA ="TRAS" AND LA_OLD !=null
|dedup LA
|table CODICE_,CANALE,ADDRESS,PRATICA, LA,LA_OLD,PACCHETTO,DATA

|map [search index=summary LA="$LA_OLD$"
|rename LA as LAC_OLD, ADDRESS as ADDRESS_OLD,PACCHETTO as PT_OLD
|eval CODE="$CODICE$",LA_NEW="$LA$",CANALE="$CANALE$",PRATICA_G="$PRATICA$",PT_NEW="PACCHETTO$",ADDRESS_NEW="$ADDRESS$",,DATA_MIG="$DATA$"
] maxsearches=9999
|dedup LA_NEW
|table CODE,CANALE,PRATICA_G, LA_NEW,LAC_OLD,PT_NEW,PT_OLD,ADDRESS_NEW,ADDRESS_OLD,DATA_MIG

 

the first query finds 1400 events, the second query only finds 250 and returns me only 250.
I would like him to give me back all 1400 events but filled in the changes of the 250 (which are the OLDs)

Tks

BR

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2021 08:01 AM

Try removing the dedup LA_NEW

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2021 08:01 AM

Try removing the dedup LA_NEW

Reply
Solved! Jump to solution

antonio147
Communicator
‎05-07-2021 06:52 AM

Removing it and inserting it into the map worked
Tks

0 Karma
Reply
Solved! Jump to solution

antonio147
Communicator
‎05-05-2021 08:26 AM

unfortunately I remove the dedup, it extracts more than 17000 events as there are many lines for the same event 

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...