Solved: condition command to merge events

antonio147 · ‎05-05-2021

Hi all,
I performed an initial search, to this I added a second search, with the map command, where based on the values of the OLD field, it performs the search on the same index.

index=summary
| search PRATICA ="TRAS" AND LA_OLD !=null
|dedup LA
|table CODICE_,CANALE,ADDRESS,PRATICA, LA,LA_OLD,PACCHETTO,DATA

|map [search index=summary LA="$LA_OLD$"
|rename LA as LAC_OLD, ADDRESS as ADDRESS_OLD,PACCHETTO as PT_OLD
|eval CODE="$CODICE$",LA_NEW="$LA$",CANALE="$CANALE$",PRATICA_G="$PRATICA$",PT_NEW="PACCHETTO$",ADDRESS_NEW="$ADDRESS$",,DATA_MIG="$DATA$"
] maxsearches=9999
|dedup LA_NEW
|table CODE,CANALE,PRATICA_G, LA_NEW,LAC_OLD,PT_NEW,PT_OLD,ADDRESS_NEW,ADDRESS_OLD,DATA_MIG

the first query finds 1400 events, the second query only finds 250 and returns me only 250.
I would like him to give me back all 1400 events but filled in the changes of the 250 (which are the OLDs)

Tks

BR

ITWhisperer · ‎05-05-2021

Try removing the dedup LA_NEW

View solution in original post

ITWhisperer · ‎05-05-2021

Try removing the dedup LA_NEW

antonio147 · ‎05-07-2021

Removing it and inserting it into the map worked
Tks

antonio147 · ‎05-05-2021

unfortunately I remove the dedup, it extracts more than 17000 events as there are many lines for the same event

condition command to merge events

eval

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!