@smahone11 -
Here's a run-anywhere sample that does what the code above was intended to do.
As well, we've modified the code posted above to fix some minor syntax errors.
index=_audit action=add | head 10
| rename COMMENT as "Sort into key and time order"
| sort 0 action _time
| table _time action date_s*
| rename COMMENT as "Rename the fields so they can be identified automatically"
| rename * as *_New
| rename COMMENT as "Put the keys back where they are supposed to be"
| rename action_New as action
| rename COMMENT as "Copy the fields forward by key"
| streamstats current=f last(*_New) as *_Old by action
| rename COMMENT as "Compare the fields and delete all that have not changed or are not present"
| foreach *_New [
eval <<MATCHSTR>>_Changed = case( <<MATCHSTR>>_New == <<MATCHSTR>>_Old, null(), isnull( <<MATCHSTR>>_Old ), null(), true(),"yep")
| eval <<MATCHSTR>>_New = case( <<MATCHSTR>>_Changed == "yep", <<MATCHSTR>>_New)
| eval <<MATCHSTR>>_Old = case( <<MATCHSTR>>_Changed == "yep", <<MATCHSTR>>_Old)
]
... View more