Hello everyone, I'm having a hard time figuring this out. I have a Search where I have created a Transaction in order to only display the "Create" events in a table. This worked, but, I had to add...
See more...
Hello everyone, I'm having a hard time figuring this out. I have a Search where I have created a Transaction in order to only display the "Create" events in a table. This worked, but, I had to add a joiner in order to display a field from another search. Since I did this, only the events that have values in the joiner field I used is displayed. I need help with how can I still show all of the events from the Transaction even though they don't have values from the joiner I used. Here's the Search I have created. (I'm still learning all of the Search possibilities, so it might be ugly (integrationName="Opsgenie Edge Connector - Splunk" alert.message = "STORE*" alert.message = "STORE*", alert.message != "*Latency" alert.message != "*Loss" action != "AddNote") OR (sourcetype="snow:incident" dv_opened_by=OPSGenieIntegration) | transaction "alert.id", alert.message startswith=Create endswith=Close keepevicted=true | where closed_txn=0 | eval joiner=if(integrationName="Opsgenie Edge Connector - Splunk", alertAlias, x_86994_opsgenie_alert_alias) | stats values(*) as * by joiner | where alertAlias==x_86994_opsgenie_alert_alias | fields _time, alert.updatedAt, alert.message, alertAlias, alert.id, action, "alertDetails.Alert Details URL", _raw, closed_txn, _time, dv_number | eval Created=strftime(_time,"%m-%d-%Y %H:%M:%S") | rename alert.message AS "Branch" | rename "alertDetails.Alert Details URL" as "Source Link" | rename dv_number as Incident | table Created, Branch, "Source Link", Incident | sort by Created DESC Thanks for any help on this one, Tom