In my whole data set, say, I have 3 types of data: Fan, Power and Transceiver.
On the Fan and Power, the unique field is 'Slot', but on the transceiver 'interface' is the unique field.
If I use the dedup on 'slot' field, then the transceiver data doesn't appear because the 'Slot' field is empty. The Fan and Power appear fine. But I want the transceiver to be have duplicates removed on another field, 'interface' and the Fans and Power on the field 'Slot'.
How do I do that?
Try this
your base search like sourcetype=Fan OR sourcetype=Power OR sourcetype=Transceiver | eval commonField=coalesce(Slot,interface) | dedup commonField
@somesoni2: But that would give me a new field called commonField. But I want both the fields to be displayed only the duplicates removed on 'slot' for Fans and Power and on 'interface' for Transceivers.
I want the info to display like this:
Matching events
name slot make model interface description serialnum hwrev mfgdate
A 4 FAN-1-F N/A
AB 3 FAN-1-F N/A
AC 2 FAN-1-F N/A
AD 1 FAN-1-F N/A
B P1 PWR-1-F N/A
BB P2 PWR-42-F N/A
C T1 INTF1 N/A 01.01 2012-02-29
CB T2 INTF2 N/A 01.01 2012-02-29
as you can see, there are no duplicates on the fans and power if i do a dedup on 'slot', but the transceiver data would be lost. On the other hand, if I do a dedup on 'interface', then the fans and power info will be lost.