How to get all failed dacNumber which never passed. In the above example it should give me DAC_111_777. Please help.
Select the most recent event for each dacNumber then discard the successful ones. The remainder will be failures. In SPL:
... | dedup dacNumber | where result = failed
View solution in original post
@vishwasgopala Try adding the below query after you index=<<anything>>
| rex field=_raw "result\=\'(?P<result>\w+).*dacNumber\=\'\[(?P<dacNumber>.*?)\]" | search result="failed" | dedup dacNumber | table dacNumber result
Also if this reply helped you in solving your problem an up-vote would be appreciated.
