Is it possible for splunk to get an output something along the lines of:
Source:
Col_A | Col_B | Col_C
ID_A | log 1 | yes
ID_A | log 2 | no
ID_A | log 3 | no
ID_B | log 4 | no
ID_B | log 5 | no
sort Col_A
| if Col_C == yes, then search and include all rows where Col_A == ID_A
| eval to combine ID_A into one cell
(will filter away records with ID_B as all of it's Col_C == no)
Desired Result
ID_A | log 1 | yes
ID_A | log 2 | no
ID_A | log 3 | no
Am I able to use splunk for the middle logic? ->if Col_C == yes, then search and include all rows where Col_A == ID_A
↧