We are ingesting scom events
When an alert is triggered it is assigned an id (the earliest event pictured) and we have created a dashboard of alerts that are in status new.
This issue we have is some of the alerts have actually been resolved but the logs that show an alert as resolved show the id as "monitoringalertid" not "id" so the dedup "id" isn't working
We are having issues joining these alerts to get the latest status and remove alert if it has been solved.
The only value to match these events is the id/monitoringalertid.
Anyone know a way to match these events.
Thanks @manjunathmeti ,
Tried using coalesce but this doesn't seem to work.
I have noticed that the logs that have monitoringalertid field that matches the original id also have a field id which does not match the original id.
This might be causing the issue with coalesce.
Is there another way to match id with monitoringalertid and if latest status is closed then ignore.
You can use coalesce to set id=monitoringalertid where id is null.
| eval id=coalesce(id, monitoringalertid) | dedup id
More info on coalesce here: https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/ConditionalFunctions#coalesce.28X...
If this reply helps you, an upvote/like would be appreciated.