HI All,
Finally got the solution using mvappend and mvdedup.
index="index_epwf_json" [search index=index_epwf_csv BILLING_ACCOUNT_ID=9332303TCT | eval identifierValue=mvappend(mvdedup(BILLING_ACCOUNT_ID),mvdedup(PAYMENT_ID),mvdedup(WALLET_ID),mvdedup(SESSION_ID),mvdedup(EMAIL_ID)) |table identifierValue] |fields + src dst transactionApi transactionType identifierType identifierValue | table _time src dst identifierType identifierValue transactionApi transactionType statusMessage | sort +transactionType | sort +_time | rename _time AS TIME, src AS SOURCE,dst as DESTINATION,transactionApi as TRSANCTION_API,transactionType as TRANSACTION_TYPE,identifierType as IDENTIFIER_TYPE,identifierValue AS IDENTIFIER_VALUE status as STATUS, statusMessage AS STATUS_MESSAGE | convert timeformat="%Y-%m-%d %H:%M:%S %p" ctime(TIME)
Thanks,
Bharath
... View more