Hi team, I have a highly simplified set of log entries similar to the sample data below:
|makeresults |eval dummy="Dec 09 19:43:45 system1 User_name: User1 Client_version: 1.1"
|append [| makeresults |eval dummy= "Dec 11 19:13:42 system1 User_name: User2 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 11 19:26:07 system1 User_name: User3 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 11 19:33:25 system1 User_name: User4 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 12 05:06:14 system1 User_name: User5 Client_version: 1.1"]
|append [| makeresults |eval dummy= "Dec 12 05:07:53 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 12 08:41:48 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 13 08:42:48 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 14 08:43:48 system1 User_name: User2 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 15 08:44:48 system1 User_name: User3 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 16 18:45:48 system1 User_name: User4 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 17 18:46:48 system1 User_name: User1 Client_version: 1.2"]
|append [| makeresults |eval dummy= "Dec 18 18:46:48 system1 User_name: User5 Client_version: 1.1"]
Could someone point me to the SPL query that could show me which user(s) have upgraded their "Client_version" and when? I basically need to track when a field value for a particular user has changed.
In the example set above, I want an output (table or graphs) that shows User1:Dec 12 05:07:53 , User2:Dec 14 08:43:48, User3:Dec 15 08:44:48 and User4:Dec 16 18:45:48
User5 won't show up as his "Client_version" field has not updated.
And in the case of User1, he has logged in multiple times, but I need to see only the timestamp when his "Client_version" field has changed.
Thanks very much.
↧