Hi, @493669 @MuS @dturnbull_splun @bowesmana
Anyone please help me in replacing join in the below query??
" index=167515-np sourcetype=hardware
| fields deviceId, productType, productId, physicalType
| search physicalType=Chassis
| dedup deviceId
| join deviceId [ search index=167515-np [| `last_np_sourcetype( "index=167515-np", "group_members")` ] groupId=288348 | fields deviceId ]
| stats dc(productId) as PIDs by productType
| search productType=Routers
| table PIDs"
Thanks
fixed sample:
(index=167515-np sourcetype=hardware physicalType=Chassis) OR (index=167515-np
[| `last_np_sourcetype( "index=167515-np", "group_members")` ] groupId=288348 )
| fields deviceId, productType, productId, physicalType, sourcetype
| stats values(*) as * dc(sourcetype) as flag by deviceId
| where flag > 1
| stats dc(productId) as PIDs by productType
| search productType=Routers
| table PIDs
I made a mistake and fixed it.