I have an instance using ServiceNow data where I want to dedup the data based on sys_updated_on to get the last update and status of the incident.
sourcetype="snow:pm_project" | dedup number sortby -sys_updated_on
However, I keep getting "|" pipes are not allowed.
I started looking at modifying the data model json file, but still got the message.
I might note that I am using "Root Event" to get acceleration to work with this.
I know I can do searches to use dedup. Should I use "Root Search" and "Root Event" together? Not sure how I would do that.
This is the search I ultimately want:
sourcetype="snow:pm_project" | dedup number sortby -sys_updated_on | search state=-5
where state would be child objects beneath the base search.
Any help would be appreciated.....I have spent a lot of time banging my head on this and want to use data models for acceleration.
↧