https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320426#M162533 <P>don't we need some <CODE>geostats</CODE> ?</P> Tue, 06 Mar 2018 21:36:02 GMT ledion 2018-03-06T21:36:02Z https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320423#M162530 <P>Does anyone know how to craft a search to find George Bush's stolen watch?</P> Tue, 06 Mar 2018 17:12:24 GMT https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320423#M162530 ledion 2018-03-06T17:12:24Z https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320424#M162531 <P>Yeah, try this </P> <PRE><CODE>index=... sourcetype=... | stats count(watch) by president | search president="Bush_W" | rename count(watch) AS passed_to_secret_service_agent | eval where_is_stolen_watch=if(passed_to_secret_service_agent&gt;0,"The U.S. gov forgot to give it back","The watch was stolen") | table president where_is_stolen_watch </CODE></PRE> Tue, 06 Mar 2018 18:15:57 GMT https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320424#M162531 skoelpin 2018-03-06T18:15:57Z https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320425#M162532 <P>Nuh-uh. Stats count by field will never yield zeroes.</P> Tue, 06 Mar 2018 18:59:25 GMT https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320425#M162532 martin_mueller 2018-03-06T18:59:25Z https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320426#M162533 <P>don't we need some <CODE>geostats</CODE> ?</P> Tue, 06 Mar 2018 21:36:02 GMT https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320426#M162533 ledion 2018-03-06T21:36:02Z https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320427#M162534 <P>Indeed, you'd have to table all the presidents afterwards and fillnull to get those zeroes, that could get tedious, are we also assuming that both pocket and wrist have been classified under the watch field?</P> Wed, 07 Mar 2018 14:29:53 GMT https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320427#M162534 paulbannister 2018-03-07T14:29:53Z https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320428#M162535 <P>Only if it was a smart watch with GPS positioning.</P> Wed, 07 Mar 2018 22:32:55 GMT https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320428#M162535 yannK 2018-03-07T22:32:55Z https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320429#M162536 <P>Line 3 will narrow down to only search "Bush_W". When I googled this scenario, the first thing I saw was that the secret service grabbed it before it was stolen and never gave it back, so I went with it. The answer will always return this if that president ever owned a watch </P> <PRE><CODE>**President** | **Where_is_stolen_watch** Bush_W | "The U.S. gov forgot to give it back </CODE></PRE> Wed, 07 Mar 2018 22:54:01 GMT https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320429#M162536 skoelpin 2018-03-07T22:54:01Z https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320430#M162537 <P>SInce there are so many presidents and watches in the index, you'd want to be in the habit of checking identity of the president first, rather than wasting all those mips counting up the other couple of hundred records.</P> <P>Also, since typists may get confused between the various George Bush presidents, and because the name can appear in various forms, you might be better off testing for something like...</P> <PRE><CODE>| search (first_name="George" AND last_name="Bush") OR president_number = 43 </CODE></PRE> Thu, 08 Mar 2018 01:00:15 GMT https://community.splunk.com/t5/Splunk-Search/search-to-find-Bush-s-stolen-watch/m-p/320430#M162537 DalJeanis 2018-03-08T01:00:15Z