https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470380#M192139 <P>run your solution on this part of log:</P> <PRE><CODE> 09:04:01.042,module1,F[6]L,IN 09:04:01.437,module1,F[6]L,OUT 09:04:01.438,module4,F[6]L,IN 09:04:01.439,module4,F[6]L,OUT 09:04:01.481,module2,F[6]L,IN 09:04:01.482,module2,F[6]L,IN 09:04:01.483,module2,F[6]L,IN 09:04:01.484,module2,F[6]L,OUT 09:04:01.485,module2,F[6]L,OUT 09:04:01.488,module50,F[18]L,IN 09:04:01.489,module52,F[20]L,IN 09:04:01.490,module53,F[18]L,OUT 09:04:01.491,module52,F[20]L,OUT" </CODE></PRE> <P>result: <BR /> 09:04:01.481,module2,F[6]L,IN<BR /> 09:04:01.482,module2,F[6]L,IN<BR /> 09:04:01.488,module50,F[18]L,IN</P> <P>expected result:<BR /> 09:04:01.483,module2,F[6]L,IN<BR /> 09:04:01.488,module50,F[18]L,IN<BR /> 09:04:01.490,module53,F[18]L,OUT</P> Mon, 30 Dec 2019 10:09:35 GMT indeed_2000 2019-12-30T10:09:35Z https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470374#M192133 <P>Hi<BR /> I have log file like this:</P> <PRE><CODE>09:04:04.042 module1: F[6]L: IN 09:04:01.417 module1: F[6]L: OUT 09:04:01.418 module4: F[6]L: IN 09:04:01.419 module4: F[6]L: OUT 09:04:01.420 module12: F[6]L: IN 09:04:01.421 module2: F[6]L: IN 09:04:01.422 module41: F[6]L: IN 09:04:01.426 module12: F[6]L: OUT 09:04:01.427 module50: F[18]L: IN 09:04:01.428 module52: F[20]L: IN 09:04:01.429 module50: F[18]L: OUT 09:04:01.435 module52: F[20]L: OUT </CODE></PRE> <P>as you see every module had (IN) value after while (OUT).</P> <P>Now I want to define something to expect (OUT) value for each (IN) due to the Fingerprint and Module.<BR /> For example in above log file:<BR /> 1- group them by F (F value means fingerprint)<BR /> 2- group them by modules <BR /> 3- detect any F had (IN) but no (OUT). example module2, module41 with F[6] had IN (input) but never had OUT (output). </P> <P>Any recommendation?</P> <P>Thanks,</P> Sat, 28 Dec 2019 16:48:29 GMT https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470374#M192133 indeed_2000 2019-12-28T16:48:29Z https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470375#M192134 <P>Hi @mehrdad_2000,<BR /> you could run something like this:</P> <PRE><CODE>index=my_index | rex "^\d+:\d+:\d+\.\d+\s+(?&lt;module&gt;[^:]*):\s+(?&lt;fingerprint&gt;[^:]*):\s+(?&lt;value&gt;\w+)" | stats dc(value) AS dc_values values(value) AS value BY module fingerprint | where dc_values&lt;2 AND value="IN" | table module fingerprint </CODE></PRE> <P>Ciao and Happy New Year.<BR /> Giuseppe</P> Sat, 28 Dec 2019 16:58:39 GMT https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470375#M192134 gcusello 2019-12-28T16:58:39Z https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470376#M192135 <P>Thank you and Happy New Year <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> this is large file I can't define dc value, it has lots of this kind of events.</P> <P>I expect every single value that hadn't output.</P> <P>Any idea?</P> Sat, 28 Dec 2019 17:10:26 GMT https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470376#M192135 indeed_2000 2019-12-28T17:10:26Z https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470377#M192136 <P>Hi @mehrdad_2000,<BR /> if you have many events it isn't a problem!<BR /> if you could have more than 2 events for the same module and fingerprint, you have to use the transaction command that's a very slow command</P> <PRE><CODE> index=my_index | rex "^\d+:\d+:\d+\.\d+\s+(?&lt;module&gt;[^:]*):\s+(?&lt;fingerprint&gt;[^:]*):\s+(?&lt;value&gt;\w+)" | transaction module fingerprint startswith=": IN" | where eventcount&lt;2 | table module fingerprint </CODE></PRE> <P>Ciao and Happy New Year.<BR /> Giuseppe</P> Sat, 28 Dec 2019 17:17:24 GMT https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470377#M192136 gcusello 2019-12-28T17:17:24Z https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470378#M192137 <P>Like this:</P> <PRE><CODE>| makeresults | eval _raw="Time,module,fingerprint,direction 9:04:04.042,module1,F[6]L,IN 09:04:01.437,module1,F[6]L,OUT 09:04:01.427,module4,F[6]L,IN 09:04:01.422,module4,F[6]L,OUT 09:04:01.381,module12,F[6]L,IN 09:04:01.371,module2,F[6]L,IN 09:04:01.338,module41,F[6]L,IN 09:04:01.381,module12,F[6]L,OUT 09:04:01.338,module50,F[18]L,IN 09:04:01.381,module52,F[20]L,IN 09:04:01.338,module50,F[18]L,OUT 09:04:01.381,module52,F[20]L,OUT" | multikv forceheader=1 | eval _time = strptime(Time, "%H:%M:%S.%3N") | sort 0 - _time | rename COMMENT AS "Everything above generates sample event data; everything below is your solution" | stats dc(direction) AS dc values(direction) AS directions BY fingerprint module | where dc&lt;2 </CODE></PRE> Sat, 28 Dec 2019 23:19:01 GMT https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470378#M192137 woodcock 2019-12-28T23:19:01Z https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470379#M192138 <P>Thank you @woodcock this is exactly what i want. </P> Sun, 29 Dec 2019 13:42:56 GMT https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470379#M192138 indeed_2000 2019-12-29T13:42:56Z https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470380#M192139 <P>run your solution on this part of log:</P> <PRE><CODE> 09:04:01.042,module1,F[6]L,IN 09:04:01.437,module1,F[6]L,OUT 09:04:01.438,module4,F[6]L,IN 09:04:01.439,module4,F[6]L,OUT 09:04:01.481,module2,F[6]L,IN 09:04:01.482,module2,F[6]L,IN 09:04:01.483,module2,F[6]L,IN 09:04:01.484,module2,F[6]L,OUT 09:04:01.485,module2,F[6]L,OUT 09:04:01.488,module50,F[18]L,IN 09:04:01.489,module52,F[20]L,IN 09:04:01.490,module53,F[18]L,OUT 09:04:01.491,module52,F[20]L,OUT" </CODE></PRE> <P>result: <BR /> 09:04:01.481,module2,F[6]L,IN<BR /> 09:04:01.482,module2,F[6]L,IN<BR /> 09:04:01.488,module50,F[18]L,IN</P> <P>expected result:<BR /> 09:04:01.483,module2,F[6]L,IN<BR /> 09:04:01.488,module50,F[18]L,IN<BR /> 09:04:01.490,module53,F[18]L,OUT</P> Mon, 30 Dec 2019 10:09:35 GMT https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470380#M192139 indeed_2000 2019-12-30T10:09:35Z https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470381#M192140 <P>run your solution on this part of log:<BR /> 09:04:01.042,module1,F[6]L,IN<BR /> 09:04:01.437,module1,F[6]L,OUT<BR /> 09:04:01.438,module4,F[6]L,IN<BR /> 09:04:01.439,module4,F[6]L,OUT<BR /> 09:04:01.481,module2,F[6]L,IN<BR /> 09:04:01.482,module2,F[6]L,IN<BR /> 09:04:01.483,module2,F[6]L,IN<BR /> 09:04:01.484,module2,F[6]L,OUT<BR /> 09:04:01.485,module2,F[6]L,OUT<BR /> 09:04:01.488,module50,F[18]L,IN<BR /> 09:04:01.489,module52,F[20]L,IN<BR /> 09:04:01.490,module53,F[18]L,OUT<BR /> 09:04:01.491,module52,F[20]L,OUT"</P> <P>result:<BR /> 09:04:01.488,module50,F[18]L,IN<BR /> 09:04:01.490,module53,F[18]L,OUT</P> <P>expected result:<BR /> 09:04:01.483,module2,F[6]L,IN<BR /> 09:04:01.488,module50,F[18]L,IN<BR /> 09:04:01.490,module53,F[18]L,OUT</P> Mon, 30 Dec 2019 14:26:02 GMT https://community.splunk.com/t5/Splunk-Search/expect-value/m-p/470381#M192140 indeed_2000 2019-12-30T14:26:02Z