Solved: Re: condition command to merge events

antonio147 · ‎05-05-2021

Hi all,
I performed an initial search, to this I added a second search, with the map command, where based on the values of the OLD field, it performs the search on the same index.

index=summary
| search PRATICA ="TRAS" AND LA_OLD !=null
|dedup LA
|table CODICE_,CANALE,ADDRESS,PRATICA, LA,LA_OLD,PACCHETTO,DATA

|map [search index=summary LA="$LA_OLD$"
|rename LA as LAC_OLD, ADDRESS as ADDRESS_OLD,PACCHETTO as PT_OLD
|eval CODE="$CODICE$",LA_NEW="$LA$",CANALE="$CANALE$",PRATICA_G="$PRATICA$",PT_NEW="PACCHETTO$",ADDRESS_NEW="$ADDRESS$",,DATA_MIG="$DATA$"
] maxsearches=9999
|dedup LA_NEW
|table CODE,CANALE,PRATICA_G, LA_NEW,LAC_OLD,PT_NEW,PT_OLD,ADDRESS_NEW,ADDRESS_OLD,DATA_MIG

the first query finds 1400 events, the second query only finds 250 and returns me only 250.
I would like him to give me back all 1400 events but filled in the changes of the 250 (which are the OLDs)

Tks

BR

ITWhisperer · ‎05-05-2021

Try removing the dedup LA_NEW

View solution in original post

ITWhisperer · ‎05-05-2021

Try removing the dedup LA_NEW

antonio147 · ‎05-07-2021

Removing it and inserting it into the map worked
Tks

antonio147 · ‎05-05-2021

unfortunately I remove the dedup, it extracts more than 17000 events as there are many lines for the same event

condition command to merge events

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation