topic Re: Search under same field value in Splunk Search

Search under same field value

enpingtu — Wed, 03 Mar 2021 06:41:29 GMT

We have below log event rows -

correlationKey=abc msg="create cache for 123"
correlationKey=abc "read cache for 123"
correlationKey=mno "create cache for 456"
correlationKey=mno "read cache for 456"
correlationKey=xyz "read cache for 123"

From the data, we may notice that correlationKey abc/mno have both create/read. But for correlationKey xyz, it does not have "create cache" log, but "read cache" only.

We need to find all correlationKey values w/o log entry "create cache for". (abc/mno do not qualify. Only xyz qualify.)

Appreciate your great help!

- ET

Re: Search under same field value

gcusello — Wed, 03 Mar 2021 07:21:03 GMT

Hi @enpingtu,

You could try something like this:

your_search | eval qualify=case(searchmatch("create cache for"),"Create", searchmatch("read cache for"),"Read" | stats dc(qualify) AS dc_qualify values(qualify) AS qualify BY correlationKey | eval status=if(dc_qualify=2,"Qualify","Do not Qualify") | table correlationKey status

Ciao.

Giuseppe

Re: Search under same field value

enpingtu — Wed, 03 Mar 2021 07:30:48 GMT

Appreciate!

Re: Search under same field value

ITWhisperer — Wed, 03 Mar 2021 07:33:52 GMT

| eval created=if(match(msg,"create cache"),"true",null) | stats values(created) as created by correlationKey | where NOT created="true"