Hello again,
here is my search result:
_time | ID1 | ID2 |
---|---|---|
1.1.09 | 30122 | 1 |
1.1.09 | 30122 | 1 |
1.1.09 | 30127 | 2 |
1.1.09 | 30128 | 2 |
1.1.09 | 30129 | 2 |
1.1.09 | 30129 | 2 |
1.1.09 | 30130 | 3 |
1.1.09 | 30131 | 3 |
I'd like to have something like this:
_time | ID1 | ID2 |
---|---|---|
1.1.09 | 30122 | 1 |
1.1.09 | 30122 | 1 |
1.1.09 | 30127 | 2 |
1.1.09 | 30127 | 2 |
1.1.09 | 30127 | 2 |
1.1.09 | 30127 | 2 |
1.1.09 | 30130 | 3 |
1.1.09 | 30130 | 3 |
ID2 shows when ID1 should change the value. All events that have the same ID2 should get the first value from ID1 for that group.
I hope someone can help me.
Thanks.
I created a CSV using your first resultset and tested it.
Try this
Your search terms... | eventstats first(ID1) as temp_id1 by ID2 | fields - ID1 | rename temp_id1 as ID1
I created a CSV using your first resultset and tested it.
Try this
Your search terms... | eventstats first(ID1) as temp_id1 by ID2 | fields - ID1 | rename temp_id1 as ID1
thank you, that is exactly what I am looking for, great..