https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456525#M129047 <P><CODE>index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out" <BR /> | rex "^\[(?[^\]]+)\].*\[(?[^\]]+)\]\[(?[a-zA-Z]*)\](?[^\(]+)\(\d*\)(.*makeModel=(?.*),make)*(:StdOUT (?.*))*.*" <BR /> | eval _time=strptime(time,"%a %b %d %H:%M:%S") <BR /> | fields - _raw time <BR /> | stats count as eventCount min(_time) as _time max(_time) as latestTime values(type) as allTypes values(device) as device values(name) as name values(macaddress) as macaddress by ip <BR /> | eval duration=(latestTime-_time)<BR /> | fields - latestTime <BR /> | search allTypes="NodeManager.getNodeByHWaddress" AND allTypes!="ActivateNode.doPost" AND allTypes="RegistrationController.initOsList" AND allTypes="GetPolicy.doPost" | fields - allTypes</CODE></P> <P>The above search query creates a table which has a column with users' macaddresses. There is an additional condition I want to add to the table that I don't know how to do. The condition is to only display the users whose macaddresses appears in the past logs on different days. I'm trying to find the users that use my program multiple times in the past and keeps using it.</P> <P>If the below search returns events that are on different days, then I want to display this user in the table I created above. Thanks!<BR /> <CODE>index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out" 3c-43-a3-cc-f5-3f</CODE></P> Mon, 19 Aug 2019 14:23:31 GMT elijahm 2019-08-19T14:23:31Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456525#M129047 <P><CODE>index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out" <BR /> | rex "^\[(?[^\]]+)\].*\[(?[^\]]+)\]\[(?[a-zA-Z]*)\](?[^\(]+)\(\d*\)(.*makeModel=(?.*),make)*(:StdOUT (?.*))*.*" <BR /> | eval _time=strptime(time,"%a %b %d %H:%M:%S") <BR /> | fields - _raw time <BR /> | stats count as eventCount min(_time) as _time max(_time) as latestTime values(type) as allTypes values(device) as device values(name) as name values(macaddress) as macaddress by ip <BR /> | eval duration=(latestTime-_time)<BR /> | fields - latestTime <BR /> | search allTypes="NodeManager.getNodeByHWaddress" AND allTypes!="ActivateNode.doPost" AND allTypes="RegistrationController.initOsList" AND allTypes="GetPolicy.doPost" | fields - allTypes</CODE></P> <P>The above search query creates a table which has a column with users' macaddresses. There is an additional condition I want to add to the table that I don't know how to do. The condition is to only display the users whose macaddresses appears in the past logs on different days. I'm trying to find the users that use my program multiple times in the past and keeps using it.</P> <P>If the below search returns events that are on different days, then I want to display this user in the table I created above. Thanks!<BR /> <CODE>index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out" 3c-43-a3-cc-f5-3f</CODE></P> Mon, 19 Aug 2019 14:23:31 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456525#M129047 elijahm 2019-08-19T14:23:31Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456526#M129048 <P>Try adding this to the end of your query:</P> <PRE><CODE>| bucket span=1d _time | stats count values(*) as * by macaddress | where count &gt; 1 </CODE></PRE> Mon, 19 Aug 2019 14:39:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456526#M129048 richgalloway 2019-08-19T14:39:09Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456527#M129049 <P>It makes my table return only 1 statistic with the macaddresses column empty and the other columns listing its elements in the one statistic so i can't tell what information is correlated to which user. </P> Mon, 19 Aug 2019 15:27:55 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456527#M129049 elijahm 2019-08-19T15:27:55Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456528#M129050 <P>You can use 'join' command if you want to retrieve the list of users for the mac addresses which you have obtained. OR you can use 'appendcols' if both queries are not related .</P> Mon, 19 Aug 2019 15:44:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456528#M129050 ansusabu 2019-08-19T15:44:09Z https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456529#M129051 <P>The macaddress field would be empty only if none of the events have a value for that column by the time the <CODE>stats</CODE> command runs. What do your results look like before the <CODE>bucket</CODE> command?</P> Mon, 19 Aug 2019 17:04:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-add-an-additional-search-condition-to-my-table/m-p/456529#M129051 richgalloway 2019-08-19T17:04:19Z