Hi all,
Im working on a search that essentially would take the field results from one search where I'm looking for a specific `PBM` ("Problem Number") and the `RMTMS` ("Reporting Serial Numbers") associated with it, and comparing it across another search where the update history of various machines are listed. In this other data I extract the `CL` ("Code Level") and the serial number `MTMS` ("Serial Number") , so that I can compare the `MTMS` and `RMTMS` fields for equality, while appending the Bundle Information to it. Essentially my end result would be a table that lists the Serial Number of each machine that has reported that specific problem number, as well as what Code level it is on.
Here is what i have so far, however It returns each respective Serial Number with multiple Bundles, instead of the relevant one, also I'm not entirely sure if it is in fact comparing the Serial Numbers, or just disregarding them.
Thank you in advance for any help.
index=* "PMB#1"
|rex field=storageFacilityMTMS "(?2123-900\S+)"
| stats values(PMB) values(RMTMS) as RMTMS
| join [ search index=* "Code Levels" " Package Level" AND "Sea.ha"
| rex "(?:\n|.)\s+(?(?:8[7]+\.\d+\.\d+\.\d+))"
| rex "(?m)Package:\s+ha(?:\n|.)*?VRMF:\s+(?87\S+)"
| rex "(?m)Package:\s+sfi(?:\n|.)*?VRMF:\s+(?87\S+)"
| rex "(?m)Package:\s+se(?:\n|.)*?VRMF:\s+(?87\S+)"
| eval Bundle=0 | foreach BU* [ eval Bundle=max(largest_BU, BU1,BU2, BU3 ) ]
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?MTMS:(?\s+\d+\-\d+\S\S+)"
| eval MTMS=coalesce(MT,RMTMS)
| rex "(?m)Package:\s+SEA.ha(?:\n|.)*?Package Level:\s+(?\d+\.\d+\.\d+\.\d+)"
| rex "(?m)Package:\s+SEA.ha.*?(?\s+\d+\-\d+\S\S+)"
| eval MTMS=coalesce(MT,MS)| stats list(MTMS) as MTMS , list(Bundle) as Bundle ] |makemv RMTMS|mvexpand RMTMS | stats values(pmhNumber) values(referenceCode) list(MTMS) as MTMS values(RMTMS) as RMTMS , list(Bundle) as Bundle,| makemv MTMS| mvexpand MTMS| stats list(RMTMS) as MTMS , list(Bundle) as Bundle
↧