This search:
index=dev_tsv source="*activity*" "Organization Name"="NA" "Added a comment"
| rename Action as Notes
| rex field=Notes "<div class='comments-space'>(?<Notes>.*)<\/div>"
| stats values(Notes) by BO_ID
Returns correct results as some Notes may have more than one value:
BO_ID values(Notes)
5a7b207a17e1ed470ac61da7 Adding another comment, a longer one and this is comment 2.
More testing
This is comment 3
5a7b207a17e1ed470ac61dcc I made a comment for Todd
DWmJoPRu32PYapTJ6 Trying to get this record in the Tracker report
KgHaubhnZWgvTSiWc Adding a new comment
dYXEhFBEyu5W9QRrv Added new related contact
Additional comments added
fQ5QEtbmYHNAcaB6c Adding additional comments to test with
iELp7qCBCuKLTutwe More testing relations
Not getting relations to Jane
Testing relations
the search that is not correct adds in a join but should still return all results BUT only gives me the most recent Notes instead of all Notes:
index=dev_tsv md_type=assessments info_owner_orgID="NA" | rename id as BO_ID | join type=left BO_ID [search index=dev_tsv source="*fp-activity*" "Organization Name"="NA" "Added a comment"
| rename Action as Notes
| rex field=Notes "<div class='comments-space'>(?<Notes>.*)<\/div>"
| stats values(Notes) by BO_ID
]
the results from that:
BO_ID values(Notes)
5a7b207a17e1ed470ac61da7 This is comment 3
5a7b207a17e1ed470ac61dcc I made a comment for Todd
DWmJoPRu32PYapTJ6 Trying to get this record in the Tracker report
KgHaubhnZWgvTSiWc Adding a new comment
dYXEhFBEyu5W9QRrv Added new related contact
fQ5QEtbmYHNAcaB6c Adding additional comments to test with
iELp7qCBCuKLTutwe Not getting relations to Jane
Your first query is based on the RIGHT side of the left join of your second query.
The difference is records in the first query that are not encountered in the first half of the second query.
Your first query is based on the RIGHT side of the left join of your second query.
The difference is records in the first query that are not encountered in the first half of the second query.
Yeah that seemed to be the case. Was able to get this to work by running them the opposite way, last one first first one last, this joined the data correctly it seems.
Thanks
And what exactly is your question? What is the 2nd search that is giving wrong results?
And can you please post your search code as code (using that 101010 button in the editor)?
Considering answers.splunk has had site issues all morning it told me this never posted and timed out instead. BTW formatting is broken as well, including the code blocks I used that never formatted.
I will add the rest of the question now then
What's your use case?