Hello Everyone
I have a below search query that results me 4 column table. Process, RunID, StartTime and EndTime.
sourcetype=xxxx
| eval Process=substr('source',1,5)
| stats values(TaskStart) as StartTime, values(TaskEnd) as EndTime by RunID, Process
| table RunID, StartTime, EndTime, Process
I am unable to paste the exact results that I am getting as outputs, as they are scattering and would not be completely understandable.
I have some of the columns where either RunID is missing or StartTime is missing and some of the StartTime fields have multiple values. I do not nee those rows/events where these fields are either empty or have multiple values.
I need only the rows where all the 4 fields have values and all of them are single values, how do I retrieve that?
Have attached 2 image files which shows what fields I need and what all the ones to be removed. Please help!
Thanks
Maria Arokiaraj
... View more