https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382079#M111693 <P>It should be a matter of adding <CODE>| search ID!="XXXXX *"</CODE> to your query. If you share the existing query we can be more specific.</P> Tue, 09 Jul 2019 16:53:44 GMT richgalloway 2019-07-09T16:53:44Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382076#M111690 <P>Not sure where I should be going but, I am all for raw data going into fields, enhanced etc...<BR /> I am looking at our raw data and there is a field called <CODE>ID=XXXXXX</CODE> which is the field I am interested in, there is also another occurrence of <CODE>ID= XXXXX YYYYY</CODE> in the event which I am not interested in. <BR /> Both are showing up in my searches, <CODE>NAME=MX001</CODE> and the second one <CODE>ID=MX001 YYYYY</CODE>. <BR /> I have tried Eval substr(ID,1,6) to no avail, any help would be appreciated, <BR /> P.S. could this have been taken care of during original extraction??</P> <P>Thanks Ahead</P> Tue, 09 Jul 2019 14:57:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382076#M111690 cxfuent29 2019-07-09T14:57:54Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382077#M111691 <P>Could you clarify a couple of things?<BR /> -Both fields are automatically extracted and they both exist in your index?<BR /> -One is called <STRONG>NAME</STRONG> and the other one <STRONG>ID</STRONG>?<BR /> -You only have use for <STRONG>NAME</STRONG> but not for <STRONG>ID</STRONG>??</P> Tue, 09 Jul 2019 16:32:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382077#M111691 oscar84x 2019-07-09T16:32:37Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382078#M111692 <P>Correction: both fields are ID, both are automatically extracted and exist in one event.</P> <P>Sorry for type</P> Tue, 09 Jul 2019 16:40:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382078#M111692 cxfuent29 2019-07-09T16:40:38Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382079#M111693 <P>It should be a matter of adding <CODE>| search ID!="XXXXX *"</CODE> to your query. If you share the existing query we can be more specific.</P> Tue, 09 Jul 2019 16:53:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382079#M111693 richgalloway 2019-07-09T16:53:44Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382080#M111694 <P>Let me try to show examples:</P> <P>INPUT EVENTS:</P> <P>1) id=jim,addr=12 main st,phone=825-585-9865</P> <P>2) id=tom,addr=45 maple,phone=528-777-9685,id=tom second</P> <P>I am using a simple table:<BR /> table id addr phone</P> <P>Output:<BR /> jim 12 main st 825-585-9865<BR /> tom 45 maple 528-777-9685<BR /> tom second<BR /> (the line above is the problem)</P> Tue, 09 Jul 2019 17:50:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382080#M111694 cxfuent29 2019-07-09T17:50:34Z https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382081#M111695 <P>I guess what I am trying to do is a report using the first occurrence of a field within an event.</P> <P>Some events have multiple fields some don't.</P> <P>I looked at stats first(xx), but it returned first occurrence of first event only.</P> Wed, 10 Jul 2019 13:47:29 GMT https://community.splunk.com/t5/Splunk-Search/How-to-subtract-specific-events-key-pairs/m-p/382081#M111695 cxfuent29 2019-07-10T13:47:29Z