Hello,
I would like to merge two events with a search to display both events' data in single line. Refer the below example ticket data:
Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10002,Resolved,GroupB,12-02-2016
Output -> RowNumber_1,TicketNo_1, Ticket_Status_1 Owner_1,Date_1,RowNumber_2,TicketNo_2, Ticket_Status_2 Owner_2,Date_2
Single Event->1,INC10001,Assigned,GroupA,12-01-2016, 2,INC10002,Resolved,GroupB,12-02-2016
It looks like you are tyring to join multiple tickets on same row without common field. Assuming you meant to be joining same ticket... e.g.
Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10001,Resolved,GroupB,12-02-2016
This stats command
| stats last(Ticket_Status) AS Current_Status list(Ticket_Status) AS Ticket_Statuses list(Owner) AS Owners list(Date) AS Dates by TicketNo
Should yield... sorry for alignment here, but plurals will be multi value fields with single cell in table.
TicketNo Current_Status Ticket_Statuses Owners Dates
INC10001 Resolved Assigned GroupA 12-01-2016
Resolved GroupB 12-02-2016
It looks like you are tyring to join multiple tickets on same row without common field. Assuming you meant to be joining same ticket... e.g.
Datamodel -> RowNumber,TicketNo,Ticket_Status,Owner,Date
Event#1 -> 1,INC10001,Assigned,GroupA,12-01-2016
Event#2 -> 2,INC10001,Resolved,GroupB,12-02-2016
This stats command
| stats last(Ticket_Status) AS Current_Status list(Ticket_Status) AS Ticket_Statuses list(Owner) AS Owners list(Date) AS Dates by TicketNo
Should yield... sorry for alignment here, but plurals will be multi value fields with single cell in table.
TicketNo Current_Status Ticket_Statuses Owners Dates
INC10001 Resolved Assigned GroupA 12-01-2016
Resolved GroupB 12-02-2016
Thank you.
I got the solution, it can be done through either stats or streams tats.
Regards,
Ravi