index=XXXsourcetype= XXX
| fields whenChanged *
| table _time whenChanged LATITUDE LONGITUDE CITY SITE_ID ENODEB_ID CELL_ID BAND CELL_NAME GROUND_ELEVATION_AMSL
| dedup CELL_NAME sortby _time
| sort CELL_NAME - whenChanged
| fillnull value="N/A"
| streamstats count by CELL_NAME
| where count < 3
| fields - count
| transaction maxevents=2 mvlist=true CELL_NAME
| eval "Updated Fields" = "NEW_CHANGES"
| foreach *
[ eval "Updated Fields" = if (mvcount('CELL_NAME') = 2,
if (mvindex('CELL_NAME', 0) = mvindex('CELL_NAME', 1),
'Updated Fields',
'Updated Fields' . "CELL_NAME, "),
'Updated Fields') ]
| eval "Most Recent AD Change Time" = mvindex('whenChanged',1)
| eval "Previous AD Change Time" = mvindex('whenChanged',0)
This is what I used, it just shows all parameters with a new field whenChanged. I want to see new additions and changes and I am not able to see them. Please help.
... View more