https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440663#M191177 <P>Here is an example looking at the result of the current search we use. We would want to be able to filter it out to only the ones that are just open:</P> <P>(first host, we would want to filter down to see events like this)</P> <P>Source: 10.0.0.14 Severity: Medium <BR /> Message: FIREEYE NX ALERT [SmartVision-Event] Malware: user enumeration attempt<BR /><BR /> Owner: Status: Open Time: 8/8/2019 11:37<BR /><BR /> count: 1</P> <P>(second and third host, would want to filter out all of these due to the Owner field being full in at least one of the events, and one of the Status fields being set to Closed) </P> <P>Source: 10.0.0.11 Severity: Low<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user2@corp.com">user2@corp.com</A> Status: Closed Time: 8/8/2019 10:07<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user2@corp.com">user2@corp.com</A> Status: Open Time: 8/8/2019 10:27 <BR /> count: 2</P> <P>Source: 10.0.0.10 Severity: Low<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user1@corp.com">user1@corp.com</A> Status: Closed Time: 8/8/2019 10:27<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user1@corp.com">user1@corp.com</A> Status: Open Time: 8/8/2019 11:12 <BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: Status: Time: 8/8/2019 11:27<BR /> count: 3</P> Thu, 08 Aug 2019 18:21:12 GMT RyanDonnelly22 2019-08-08T18:21:12Z https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440661#M191175 <P>I have alert logs coming in from an AV tool and when a tech is working on an alert assigned it to themselves, it generates a new log file, same when it is closed.</P> <P>This is the basic search I have for all the events:</P> <P>index="AV"<BR /><BR /> |rename assignedTo.username as Owner<BR /><BR /> | rename alertTypeDetails.detail.agenthostname as agenthostname<BR /> |rename alertTypeDetails.source as source <BR /> | eval "Source"=coalesce(source,agenthostnamee," N/A ") <BR /> | rename alertTypeDetails.detail.virus as virus <BR /> | rename alertTypeDetails.detail.category as category <BR /> | eval "Malware"=coalesce(iocnames, virus, category, " N/A ") <BR /> | eval Owner=if(isnull(Owner)," ",Owner)<BR /><BR /> | eval Time=strftime(_time, " %m/%d/%Y %H:%M:%S") <BR /> | stats values(risk) as Severity values(message) as Message values(Malware) as Malware values(Owner) as Owner values(state) as Status values(customer_id) as Helix values(Time) as Time count by Source<BR /><BR /> | sort -Status</P> <P>I want to exclude the hosts that have additional events where the values of Owner is not " " and the Status is not Open, so I can just see the new events that haven't been assigned or closed yet. </P> Wed, 30 Sep 2020 01:41:47 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440661#M191175 RyanDonnelly22 2020-09-30T01:41:47Z https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440662#M191176 <P>Hi @RyanDonnelly22 , a few sample events would help correlate with the query posted.</P> Thu, 08 Aug 2019 16:48:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440662#M191176 vik_splunk 2019-08-08T16:48:19Z https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440663#M191177 <P>Here is an example looking at the result of the current search we use. We would want to be able to filter it out to only the ones that are just open:</P> <P>(first host, we would want to filter down to see events like this)</P> <P>Source: 10.0.0.14 Severity: Medium <BR /> Message: FIREEYE NX ALERT [SmartVision-Event] Malware: user enumeration attempt<BR /><BR /> Owner: Status: Open Time: 8/8/2019 11:37<BR /><BR /> count: 1</P> <P>(second and third host, would want to filter out all of these due to the Owner field being full in at least one of the events, and one of the Status fields being set to Closed) </P> <P>Source: 10.0.0.11 Severity: Low<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user2@corp.com">user2@corp.com</A> Status: Closed Time: 8/8/2019 10:07<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user2@corp.com">user2@corp.com</A> Status: Open Time: 8/8/2019 10:27 <BR /> count: 2</P> <P>Source: 10.0.0.10 Severity: Low<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user1@corp.com">user1@corp.com</A> Status: Closed Time: 8/8/2019 10:27<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user1@corp.com">user1@corp.com</A> Status: Open Time: 8/8/2019 11:12 <BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: Status: Time: 8/8/2019 11:27<BR /> count: 3</P> Thu, 08 Aug 2019 18:21:12 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440663#M191177 RyanDonnelly22 2019-08-08T18:21:12Z https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440664#M191178 <P>Here is an example of the results we see:</P> <P>(first host, we would want to filter down to just see hosts like this)</P> <P>Source: 10.0.0.14 Severity: Medium <BR /> Message: FIREEYE NX ALERT [SmartVision-Event] Malware: user enumeration attempt<BR /><BR /> Owner: Status: Open Time: 8/8/2019 11:37<BR /><BR /> count: 1</P> <P>(second and third host, would want to filter out all of these due to one of their Owner fields being full and one of the Status fields being set to Closed) </P> <P>Source: 10.0.0.11 Severity: Low<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user2@corp.com">user2@corp.com</A> Status: Closed Time: 8/8/2019 10:07<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user2@corp.com">user2@corp.com</A> Status: Open Time: 8/8/2019 10:27<BR /><BR /> count: 2</P> <P>Source: 10.0.0.10 Severity: Low<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user1@corp.com">user1@corp.com</A> Status: Closed Time: 8/8/2019 10:27<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user1@corp.com">user1@corp.com</A> Status: Open Time: 8/8/2019 11:12<BR /><BR /> Message: FIREEYE NX ALERT [Riskware-Callback] Malware: adware.downware<BR /><BR /> Owner: <A href="mailto:user1@corp.com">user1@corp.com</A> Status: Time: 8/8/2019 11:27<BR /> count: 3 </P> Thu, 08 Aug 2019 18:27:31 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440664#M191178 RyanDonnelly22 2019-08-08T18:27:31Z https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440665#M191179 <P>I was able to find an answer. </P> <P>I need to use the 'where' command at the end of my search</P> <P>| stats values(risk) as Severity values(message) as Message values(Malware) as Malware values(Owner) as Owner values(state) as Status values(customer_id) as Helix values(Time) as Time count by Source <BR /> <STRONG>| where Status !="Closed" and Owner=" "</STRONG><BR /> | sort -Status</P> Fri, 09 Aug 2019 18:03:04 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-compare-multiple-events-to-filter-out-the-same-host/m-p/440665#M191179 RyanDonnelly22 2019-08-09T18:03:04Z