Solved: Re: condition command to merge events

antonio147 · ‎05-05-2021

Hi all,
I performed an initial search, to this I added a second search, with the map command, where based on the values of the OLD field, it performs the search on the same index.

index=summary
| search PRATICA ="TRAS" AND LA_OLD !=null
|dedup LA
|table CODICE_,CANALE,ADDRESS,PRATICA, LA,LA_OLD,PACCHETTO,DATA

|map [search index=summary LA="$LA_OLD$"
|rename LA as LAC_OLD, ADDRESS as ADDRESS_OLD,PACCHETTO as PT_OLD
|eval CODE="$CODICE$",LA_NEW="$LA$",CANALE="$CANALE$",PRATICA_G="$PRATICA$",PT_NEW="PACCHETTO$",ADDRESS_NEW="$ADDRESS$",,DATA_MIG="$DATA$"
] maxsearches=9999
|dedup LA_NEW
|table CODE,CANALE,PRATICA_G, LA_NEW,LAC_OLD,PT_NEW,PT_OLD,ADDRESS_NEW,ADDRESS_OLD,DATA_MIG

the first query finds 1400 events, the second query only finds 250 and returns me only 250.
I would like him to give me back all 1400 events but filled in the changes of the 250 (which are the OLDs)

Tks

BR

ITWhisperer · ‎05-05-2021

Try removing the dedup LA_NEW

View solution in original post

ITWhisperer · ‎05-05-2021

Try removing the dedup LA_NEW

antonio147 · ‎05-07-2021

Removing it and inserting it into the map worked
Tks

antonio147 · ‎05-05-2021

unfortunately I remove the dedup, it extracts more than 17000 events as there are many lines for the same event

condition command to merge events

eval

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?