https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534380#M151002 <P>Your events should already be mapping time_start to _time so filtering them should be a matter of selecting the desired time range from the time picker.</P><P>If you don't map time_start to _time then you'll have to filter in your query.</P><LI-CODE lang="markup">index=something (name="foo" OR name="bar") | eval startTime=strptime(time_start, "%Y-%m-%dT%H:%M:%S%:z") | where startTime ```fill in conditions``` | stats values(code) as codes by name</LI-CODE> Tue, 29 Dec 2020 17:00:56 GMT richgalloway 2020-12-29T17:00:56Z https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534145#M150956 <P>Hello,</P><P>Help will be very appreciated.</P><P>My splunk index contains a field with codes, and another field with names.</P><P>Every event contains a code and a name.</P><P>1. I need to display all the codes that repeat more then once and have different names -&nbsp; result for example can be code 444 that apear with two names dave and miriam.</P><P>2.Farther more, I need to display codes that have events with two specific names.</P><P>Thank you,</P><P>Jacob</P><P>&nbsp;</P> Sun, 27 Dec 2020 13:15:09 GMT https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534145#M150956 jacob_rod 2020-12-27T13:15:09Z https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534151#M150961 <P>1. This should show all the codes that have more than one name associated with them.</P><LI-CODE lang="markup">... | stats values(name) as names by code | where mvcount(names) &gt; 1</LI-CODE><P>2. Here is one way to find the codes with two specific names</P><LI-CODE lang="markup">index=something (name="foo" OR name="bar") | stats values(code) as codes by name</LI-CODE> Sun, 27 Dec 2020 15:44:39 GMT https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534151#M150961 richgalloway 2020-12-27T15:44:39Z https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534308#M150984 <P>Thank you very much, using the two solutions together solved my issue.</P><P>How can I add Time filter to the evens ?</P><P>&nbsp;</P> Tue, 29 Dec 2020 07:04:49 GMT https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534308#M150984 jacob_rod 2020-12-29T07:04:49Z https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534352#M150995 <P>What exactly do you mean by "time filter"?&nbsp; What results do you want?</P> Tue, 29 Dec 2020 13:17:37 GMT https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534352#M150995 richgalloway 2020-12-29T13:17:37Z https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534372#M151000 <P>Hi,</P><P>My time field name is "time_start" - structure is -&nbsp; 2020-12-22T10:40:04.327+04:00</P><P>I need to display events from specific time boundaries (starting specific time until end time)</P><P>this is together with the code &amp; name filters above.</P><P>Thank you again for the help.</P><P>Jake</P> Tue, 29 Dec 2020 15:40:19 GMT https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534372#M151000 jacob_rod 2020-12-29T15:40:19Z https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534380#M151002 <P>Your events should already be mapping time_start to _time so filtering them should be a matter of selecting the desired time range from the time picker.</P><P>If you don't map time_start to _time then you'll have to filter in your query.</P><LI-CODE lang="markup">index=something (name="foo" OR name="bar") | eval startTime=strptime(time_start, "%Y-%m-%dT%H:%M:%S%:z") | where startTime ```fill in conditions``` | stats values(code) as codes by name</LI-CODE> Tue, 29 Dec 2020 17:00:56 GMT https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/534380#M151002 richgalloway 2020-12-29T17:00:56Z https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/540193#M152796 <P>This is my final search -</P><P>index=something (name="foo" OR name="bar")<BR />| eval timeValue = strptime(Date, "%Y-%m-%d %H:%M")<BR />| eval earliest = strptime("2021-02-17 08:00", "%Y-%m-%d %H:%M")<BR />| where (timeValue &gt; earliest)<BR />| stats values(name) as names by code<BR />| where mvcount(names) &gt; 1<BR />| table code names</P><P>Trying to add field from the events to the table came out empty...</P><P>Question is how can I add a field from the events to the table ?<BR /><BR /></P> Wed, 17 Feb 2021 07:41:08 GMT https://community.splunk.com/t5/Splunk-Search/help-with-search-repeated-events-with-diffrent-values-in/m-p/540193#M152796 jacob_rod 2021-02-17T07:41:08Z