topic Re: Is this a Join, subsearch, or something else? in Splunk Search

Is this a Join, subsearch, or something else?

theeven — Tue, 27 Aug 2013 21:43:53 GMT

In my search I am at a stage where I have something like below.

USERID EVENT STATUS
1 HELLO PASS
2 HELLO FAIL
3 HELLO FAIL
4 HELLO PASS
2 HELLO PASS
3 HELLO PASS
7 HELLO FAIL
4 HELLO PASS
8 HELLO PASS

I need a way to list all USERID who have encountered both PASS and FAIL STATUS

2
3

help?
thanks.

lukejadamec — Wed, 28 Aug 2013 00:06:57 GMT

What is the timeframe?

yannK — Wed, 28 Aug 2013 00:13:03 GMT

I hate to say that, but maybe a transaction may be useful.

mysearch PASS OR FAIL | transaction USERID | search PASS AND FAIL | table USERID

theeven — Wed, 28 Aug 2013 00:15:03 GMT

not sure if i get it.

lukejadamec — Wed, 28 Aug 2013 00:26:22 GMT

How far back in time do you want to look?
For users that have both pass and fail, in the past hour, day, month?

theeven — Wed, 28 Aug 2013 00:30:46 GMT

I am planning to group timechart per_day() at the end.

theeven — Wed, 28 Aug 2013 01:10:52 GMT

Okay here's my solution. Works good for me.

| stats values(STATUS) as STATUS_MV by USERID 
| eval STATUS_COUNT = mvcount(STATUS_MV) 
| search STATUS_COUNT=2

In my case, Status can only take one of the 2 conditions (PASS/FAIL). In other case ">" operator could also be used.

gkanapathy — Wed, 28 Aug 2013 01:15:44 GMT

Pretty straightforward:

... | stats values(STATUS) as statuses by USERID | where statuses=="PASS" AND statuses=="FAIL"

HiroshiSatoh — Wed, 28 Aug 2013 01:47:04 GMT

I did not think of this. The Helpful simple.

Runals — Wed, 11 Sep 2013 10:36:08 GMT

That is similar to how I would approach it

...| stats dc(STATUS) by USERID