topic How to extract the data with 3 different events based on a filter in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-data-with-3-different-events-based-on-a/m-p/555976#M157868 <P>Hi all,</P><P>Currently I have the following string to make a table with some values which belong to different events but they have a field in common:</P><P>&nbsp;</P><P>index="*MYindex*" AND container_name="Mycontainer_name"&nbsp; AND (message="*search1*" OR message="*search2*" OR message="*search3*")&nbsp;AND NOT message="*search4*"</P><P>| rex field=_raw "xyz(?&lt;search1&gt;[0-9a-zA-ZÀ-ÿ\,\s"/"]+),*"</P><P>| rex field=_raw "xyz(?&lt;trace&gt;[a-z0-9]+)*"</P><P>| rex field=message "xyz(?&lt;search3&gt;[0-9a-zA-Z\s]+),*"</P><P>| rex field=_raw "xyz(?&lt;search2&gt;[A-Za-z0-9]+)*"</P><P>| stats values(search2) as SEARCH2 values(search3) as SEARCH3 values(search1) as SEARCH1 by trace</P><P>&nbsp;</P><P>This generates the following table grouping the events with the same trace. I expect to have empty cells depending of the SEARCH2 and SEARCH3, so it's fine.</P><TABLE width="0"><TBODY><TR><TD width="464"><P><STRONG>trace</STRONG></P></TD><TD width="432"><P><STRONG>SEARCH2 </STRONG></P></TD><TD width="424"><P><STRONG>SEARCH3</STRONG></P></TD><TD><P><STRONG>SEARCH1</STRONG></P></TD></TR><TR><TD><P>0022f6381a597f0e</P></TD><TD><P>EXOL</P></TD><TD><P>200 OK</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>004d6a8d0b2c3e7c</P></TD><TD><P>EXRS</P></TD><TD><P>&nbsp;</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>0052ad6e42b4b9ad</P></TD><TD><P>EXOL</P></TD><TD><P>200 OK</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>008643fdaca08cd5</P></TD><TD><P>EXOL</P></TD><TD><P>200 OK</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>008f58384f6d582f</P></TD><TD><P>EXOL</P></TD><TD><P>400 BAD</P></TD><TD><P>FORMAT ERROR</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>What I'm looking for is to filter these results based on an additional search, which is a different event but it has the same trace:</P><P>&nbsp;</P><P>index="*MYindex*" AND container_name="Mycontainer_name"&nbsp; AND (message="*search1*" OR message="*search2*" OR message="*search3*" <FONT color="#0000FF"><STRONG>OR message="*search5*"</STRONG></FONT> )&nbsp;AND NOT message="*search4*"</P><P>| rex field=_raw "xyz(?&lt;search1&gt;[0-9a-zA-ZÀ-ÿ\,\s"/"]+),*"</P><P>| rex field=_raw "xyz(?&lt;trace&gt;[a-z0-9]+)*"</P><P>| rex field=message "xyz(?&lt;search3&gt;[0-9a-zA-Z\s]+),*"</P><P>| rex field=_raw "xyz(?&lt;search2&gt;[A-Za-z0-9]+)*"</P><P><FONT color="#0000FF"><STRONG>| rex field=_raw "xyz(?&lt;search5&gt;[a-zA-Z]+),*"</STRONG></FONT></P><P><FONT color="#0000FF"><STRONG>| where search5="true"</STRONG></FONT></P><P>| stats values(search2) as SEARCH2 values(search3) as SEARCH3 values(search1) as SEARCH1 by trace</P><P>&nbsp;</P><P><STRONG>search5</STRONG>&nbsp;can only be "true" or "false" but the table applying the filter is empty, only showing the trace field:</P><TABLE><TBODY><TR><TD width="464"><P><STRONG>trace</STRONG></P></TD><TD width="432"><P><STRONG>SEARCH2 </STRONG></P></TD><TD width="424"><P><STRONG>SEARCH3</STRONG></P></TD><TD><P><STRONG>SEARCH1</STRONG></P></TD></TR><TR><TD><P>0022f6381a597f0e</P></TD><TD><P>&nbsp;</P></TD><TD><P>&nbsp;</P></TD><TD><P>&nbsp;</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>How I can filter the events applying the condition?</P><P>&nbsp;</P><P>Thanks for you time.</P> Wed, 16 Jun 2021 13:14:53 GMT CristianLopez 2021-06-16T13:14:53Z How to extract the data with 3 different events based on a filter https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-data-with-3-different-events-based-on-a/m-p/555976#M157868 <P>Hi all,</P><P>Currently I have the following string to make a table with some values which belong to different events but they have a field in common:</P><P>&nbsp;</P><P>index="*MYindex*" AND container_name="Mycontainer_name"&nbsp; AND (message="*search1*" OR message="*search2*" OR message="*search3*")&nbsp;AND NOT message="*search4*"</P><P>| rex field=_raw "xyz(?&lt;search1&gt;[0-9a-zA-ZÀ-ÿ\,\s"/"]+),*"</P><P>| rex field=_raw "xyz(?&lt;trace&gt;[a-z0-9]+)*"</P><P>| rex field=message "xyz(?&lt;search3&gt;[0-9a-zA-Z\s]+),*"</P><P>| rex field=_raw "xyz(?&lt;search2&gt;[A-Za-z0-9]+)*"</P><P>| stats values(search2) as SEARCH2 values(search3) as SEARCH3 values(search1) as SEARCH1 by trace</P><P>&nbsp;</P><P>This generates the following table grouping the events with the same trace. I expect to have empty cells depending of the SEARCH2 and SEARCH3, so it's fine.</P><TABLE width="0"><TBODY><TR><TD width="464"><P><STRONG>trace</STRONG></P></TD><TD width="432"><P><STRONG>SEARCH2 </STRONG></P></TD><TD width="424"><P><STRONG>SEARCH3</STRONG></P></TD><TD><P><STRONG>SEARCH1</STRONG></P></TD></TR><TR><TD><P>0022f6381a597f0e</P></TD><TD><P>EXOL</P></TD><TD><P>200 OK</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>004d6a8d0b2c3e7c</P></TD><TD><P>EXRS</P></TD><TD><P>&nbsp;</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>0052ad6e42b4b9ad</P></TD><TD><P>EXOL</P></TD><TD><P>200 OK</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>008643fdaca08cd5</P></TD><TD><P>EXOL</P></TD><TD><P>200 OK</P></TD><TD><P>&nbsp;</P></TD></TR><TR><TD><P>008f58384f6d582f</P></TD><TD><P>EXOL</P></TD><TD><P>400 BAD</P></TD><TD><P>FORMAT ERROR</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>What I'm looking for is to filter these results based on an additional search, which is a different event but it has the same trace:</P><P>&nbsp;</P><P>index="*MYindex*" AND container_name="Mycontainer_name"&nbsp; AND (message="*search1*" OR message="*search2*" OR message="*search3*" <FONT color="#0000FF"><STRONG>OR message="*search5*"</STRONG></FONT> )&nbsp;AND NOT message="*search4*"</P><P>| rex field=_raw "xyz(?&lt;search1&gt;[0-9a-zA-ZÀ-ÿ\,\s"/"]+),*"</P><P>| rex field=_raw "xyz(?&lt;trace&gt;[a-z0-9]+)*"</P><P>| rex field=message "xyz(?&lt;search3&gt;[0-9a-zA-Z\s]+),*"</P><P>| rex field=_raw "xyz(?&lt;search2&gt;[A-Za-z0-9]+)*"</P><P><FONT color="#0000FF"><STRONG>| rex field=_raw "xyz(?&lt;search5&gt;[a-zA-Z]+),*"</STRONG></FONT></P><P><FONT color="#0000FF"><STRONG>| where search5="true"</STRONG></FONT></P><P>| stats values(search2) as SEARCH2 values(search3) as SEARCH3 values(search1) as SEARCH1 by trace</P><P>&nbsp;</P><P><STRONG>search5</STRONG>&nbsp;can only be "true" or "false" but the table applying the filter is empty, only showing the trace field:</P><TABLE><TBODY><TR><TD width="464"><P><STRONG>trace</STRONG></P></TD><TD width="432"><P><STRONG>SEARCH2 </STRONG></P></TD><TD width="424"><P><STRONG>SEARCH3</STRONG></P></TD><TD><P><STRONG>SEARCH1</STRONG></P></TD></TR><TR><TD><P>0022f6381a597f0e</P></TD><TD><P>&nbsp;</P></TD><TD><P>&nbsp;</P></TD><TD><P>&nbsp;</P></TD></TR></TBODY></TABLE><P>&nbsp;</P><P>How I can filter the events applying the condition?</P><P>&nbsp;</P><P>Thanks for you time.</P> Wed, 16 Jun 2021 13:14:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-the-data-with-3-different-events-based-on-a/m-p/555976#M157868 CristianLopez 2021-06-16T13:14:53Z