I have events with this structure: { id, version, event_type } . The id field corresponds to a device ID. I'm trying to find all the unique devices (i.e., unique id s) that are still using version=V1 vs those that have upgraded to V2.
To find devices still using V1, I could do a search like index=my_index version="V1" | dedup id . The problem is that will match devices that sent some events while running V1, but have since upgraded to V2.
So let's suppose for example I have devices a,b,c . a has only used V1. b has used V1 and has since upgraded to V2. c has only sent events while using V2. So the set of events might look like this:
{ id=a, version=V1, event_type='alice' }
{ id=a, version=V1, event_type='bob' }
{ id=b, version=V1, event_type='carl' }
{ id=b, version=V2, event_type='dora' }
{ id=c, version=V2, event_type='eve' }
{ id=c, version=V2, event_type='fred' }
I'm trying to write 2 searches, one that will just return a (who has only used V1), and one which will return b & c (both of which have used V2).
index=my_index version="V2" | dedup id works fine for the second case (and returns [b,c] ).
The similar index=my_index version="V1" | dedup id for the first case returns [a,b] and not just [a] , so that's not the search I want.
Is there any way I can exclude b from the search, by excluding any events where the id field is also present in other events that have non-matching criteria? I.e. a search that dedups all events that match version=V1 (events 1,2,3), but then excludes b because event 3 has id=b , version=V2 ?
I've seen some similar questions that do something like | search NOT [search ... ] but I can't see how to make that work here, where I'm not just looking at events, but trying to compare two dedup'd lists.
... View more