topic Correlation Events and Discard Events in Splunk Search https://community.splunk.com/t5/Splunk-Search/Correlation-Events-and-Discard-Events/m-p/353159#M104534 <P>Hello, <BR /> I need your help to correlation some transactions by a number of reference and responses Input and Output but the reponse Output can have many results. <BR /> I have the following query with splunk but I need only in the dashboard the transactions that you have response I or O in a cell. </P> <PRE><CODE>index="x" source="MCB-S015-FILE-MONITOREO2-170919-000-ACYPGAMA.CBL" sourcetype="x" field_header=STD2 | eval num_trans=code_serv_std2.subcodigo_serv_std2 | transaction num_trans with mvlist=t startswith=(resp=*I) | search duration&gt;=0 | eval first_mix=mvindex(mix, 0) | eval last_mix=mvindex(mix, -1) | eval hour1=mvindex(hora, 0) | eval hour2=mvindex(hora, -1) | eval version1=mvindex(pref_header_std2, 0) | eval mod_serv_std2=mvindex(modalidad_serv, 0) | eval first_duration = tostring(duration, "duration") | eval mytime=strftime(_time, "%Y-%m-%d") | eval fecha=strftime(strptime(mytime,"%Y-%m-%d"),"%d/%m/%Y") | eval first_hour=strftime(strptime(hour1,"%H%M%S%2N"),"%H:%M:%S.%2N") | eval last_hour=strftime(strptime(hour2,"%H%M%S%2N"),"%H:%M:%S.%2N") | eval num_tran=mvindex(num_trans, -1) | table mix resp version1 first_mix last_mix fecha first_hour last_hour first_duration num_tran mod_serv_std2 app_dest_std2 app_origen_std2 | rename mix as "MIX" fecha as "Fecha" first_hour as "Hora Inicio Respuesta" last_hour as "Hora Fin Respuesta" first_duration as "Duración de Respuesta (s)" num_tran as "ID de Transacción" mod_serv_std2 as "Modalidad De Servicio" first_mix as "Mix Inicio" last_mix as "Mix Fin" app_dest_std2 as "Aplicación Destino" resp as "Respuesta" app_origen_std2 as "Aplicacion Origen" version1 as Version </CODE></PRE> <P>Result of the Query</P> <P><IMG src="https://community.splunk.com/storage/temp/229708-1.png" alt="alt text" /></P> <P><STRONG>*But I only need in the dashboard the transactions that have an response **I</STRONG> and one or more <STRONG>O</STRONG>. I need to discard those that only have one Input<BR /> it's possible ?*** <BR /> <IMG src="https://community.splunk.com/storage/temp/229711-2.png" alt="alt text" /></P> Tue, 29 Sep 2020 18:29:41 GMT Carolina 2020-09-29T18:29:41Z Correlation Events and Discard Events https://community.splunk.com/t5/Splunk-Search/Correlation-Events-and-Discard-Events/m-p/353159#M104534 <P>Hello, <BR /> I need your help to correlation some transactions by a number of reference and responses Input and Output but the reponse Output can have many results. <BR /> I have the following query with splunk but I need only in the dashboard the transactions that you have response I or O in a cell. </P> <PRE><CODE>index="x" source="MCB-S015-FILE-MONITOREO2-170919-000-ACYPGAMA.CBL" sourcetype="x" field_header=STD2 | eval num_trans=code_serv_std2.subcodigo_serv_std2 | transaction num_trans with mvlist=t startswith=(resp=*I) | search duration&gt;=0 | eval first_mix=mvindex(mix, 0) | eval last_mix=mvindex(mix, -1) | eval hour1=mvindex(hora, 0) | eval hour2=mvindex(hora, -1) | eval version1=mvindex(pref_header_std2, 0) | eval mod_serv_std2=mvindex(modalidad_serv, 0) | eval first_duration = tostring(duration, "duration") | eval mytime=strftime(_time, "%Y-%m-%d") | eval fecha=strftime(strptime(mytime,"%Y-%m-%d"),"%d/%m/%Y") | eval first_hour=strftime(strptime(hour1,"%H%M%S%2N"),"%H:%M:%S.%2N") | eval last_hour=strftime(strptime(hour2,"%H%M%S%2N"),"%H:%M:%S.%2N") | eval num_tran=mvindex(num_trans, -1) | table mix resp version1 first_mix last_mix fecha first_hour last_hour first_duration num_tran mod_serv_std2 app_dest_std2 app_origen_std2 | rename mix as "MIX" fecha as "Fecha" first_hour as "Hora Inicio Respuesta" last_hour as "Hora Fin Respuesta" first_duration as "Duración de Respuesta (s)" num_tran as "ID de Transacción" mod_serv_std2 as "Modalidad De Servicio" first_mix as "Mix Inicio" last_mix as "Mix Fin" app_dest_std2 as "Aplicación Destino" resp as "Respuesta" app_origen_std2 as "Aplicacion Origen" version1 as Version </CODE></PRE> <P>Result of the Query</P> <P><IMG src="https://community.splunk.com/storage/temp/229708-1.png" alt="alt text" /></P> <P><STRONG>*But I only need in the dashboard the transactions that have an response **I</STRONG> and one or more <STRONG>O</STRONG>. I need to discard those that only have one Input<BR /> it's possible ?*** <BR /> <IMG src="https://community.splunk.com/storage/temp/229711-2.png" alt="alt text" /></P> Tue, 29 Sep 2020 18:29:41 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-Events-and-Discard-Events/m-p/353159#M104534 Carolina 2020-09-29T18:29:41Z Re: Correlation Events and Discard Events https://community.splunk.com/t5/Splunk-Search/Correlation-Events-and-Discard-Events/m-p/353160#M104535 <P>Yes it is</P> <P>Use eval field_count=mvcount(Respuesta) to count the number of events in a multivalued field, and then filter them out with where field_count==1</P> Tue, 29 Sep 2020 18:27:25 GMT https://community.splunk.com/t5/Splunk-Search/Correlation-Events-and-Discard-Events/m-p/353160#M104535 tiagofbmm 2020-09-29T18:27:25Z