https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604508#M210270 <P>Based on your illustrations 1 and 2, I think ITWhisperer's method should work, like this:</P><LI-CODE lang="markup">index=servers (server=backups OR server=*Database*) | eventstats values(server) as servergroup by Storage | where isnull(mvfind(servergroup, backups))</LI-CODE><P>Basically, eventstats groups servers based on Storage they use; mvfind() selects those servers that uses the same Storage as used by "backups". &nbsp;Then, isnull() negates the find to pick out those that do not use that storage.</P> Tue, 05 Jul 2022 23:18:26 GMT yuanliu 2022-07-05T23:18:26Z https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604463#M210251 <P>I can't wrap my head around how to do this search.&nbsp; It's like I need an array or variable.</P><P>Example Data:</P><TABLE border="1" width="100%"><TBODY><TR><TD>Hostname</TD><TD>Storage</TD></TR><TR><TD width="50%">BackupServer</TD><TD width="50%">BackupStorage</TD></TR><TR><TD width="50%">Database1</TD><TD width="50%">Storage1</TD></TR><TR><TD width="50%">Database2</TD><TD width="50%">Storage2</TD></TR><TR><TD width="50%">Database3</TD><TD width="50%">BackupStorage</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>How can I say, show me a list of all servers using BackupServer[Storage], I dont know the name of backup storage in advance. All I know is the hostname is like Backupserver.</P><P>&nbsp;</P> Tue, 05 Jul 2022 15:26:55 GMT https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604463#M210251 splunk219783 2022-07-05T15:26:55Z https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604468#M210253 <P>Do you mean something like this?</P><LI-CODE lang="markup">| eventstats values(Hostname) as hosts by Storage | where isnotnull(mvfind(hosts,"BackupServer"))</LI-CODE> Tue, 05 Jul 2022 15:49:01 GMT https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604468#M210253 ITWhisperer 2022-07-05T15:49:01Z https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604476#M210257 <P>When I try that I just get my BackupServer.&nbsp; I shouldn't clarified, i'd like a search that only Shows me Database3 in the example dataset, but without knowing the Storage is "BackupStorage" to begin with.&nbsp; I need to lookup the datastore of backupserver, then make sure none of the others are on there.</P> Tue, 05 Jul 2022 16:30:30 GMT https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604476#M210257 splunk219783 2022-07-05T16:30:30Z https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604479#M210259 <P>I am not sure I understand your requirement - do you know the name of the BackupServer or not?</P><LI-CODE lang="markup">| eventstats values(Hostname) as hosts by Storage | where isnotnull(mvfind(hosts,"BackupServer")) AND Hostname!="BackupServer"</LI-CODE><P>If not, how do you identify which host is being used for backup storage?</P> Tue, 05 Jul 2022 16:43:33 GMT https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604479#M210259 ITWhisperer 2022-07-05T16:43:33Z https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604482#M210261 <PRE>&lt;your search&gt;<BR />| stats values(Hostname) as Hostname by Storage<BR />| where Hostname="BackupServer"</PRE><P>&nbsp;</P> Tue, 05 Jul 2022 16:49:07 GMT https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604482#M210261 PickleRick 2022-07-05T16:49:07Z https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604485#M210262 <P>I apologize if I'm being confusing. Let me try to explain it better.&nbsp;&nbsp; This backup server backups databases.&nbsp; I need to make sure none of the databases are on the same storage as the backup server.&nbsp; Because if we lost that storage we would lose both our backups and the database.</P><P>Here's the steps i'm trying to do with SPL.</P><P>1. Lookup what storage BackupServer is using with a search.&nbsp; Something like a&nbsp;</P><LI-CODE lang="markup">index=servers server=backups | fields Storage</LI-CODE><P>2. Make sure No Databases are using that Storage.&nbsp; I do not know which storage the backup server will be on, it could move around.</P><LI-CODE lang="markup">index=servers server=*Database* storage!=[Storagestringfromabove]</LI-CODE><P>&nbsp;</P><P>This is the search i've thrown together so far.&nbsp; The only way I can think of to accomplish 1 &amp; 2, is to output my backup storage to a lookup table, then look for a match.</P><LI-CODE lang="markup">index=servers source=*vmdk* VM=*database*| fields Datastore VM | search [inputlookup backup_server.csv | fields Datastore] | table VM Datastore </LI-CODE> Tue, 05 Jul 2022 17:05:01 GMT https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604485#M210262 splunk219783 2022-07-05T17:05:01Z https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604487#M210263 <P>This line creates a list of all the host which share the same storage by storage name</P><LI-CODE lang="markup">| eventstats values(Hostname) as hosts by Storage</LI-CODE><P>This line picks out the hosts which share the same storage as BackupServer</P><LI-CODE lang="markup">| where isnotnull(mvfind(hosts,"BackupServer")) AND Hostname!="BackupServer"</LI-CODE><P>&nbsp;How is that not what you have asked for?</P> Tue, 05 Jul 2022 17:28:06 GMT https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604487#M210263 ITWhisperer 2022-07-05T17:28:06Z https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604508#M210270 <P>Based on your illustrations 1 and 2, I think ITWhisperer's method should work, like this:</P><LI-CODE lang="markup">index=servers (server=backups OR server=*Database*) | eventstats values(server) as servergroup by Storage | where isnull(mvfind(servergroup, backups))</LI-CODE><P>Basically, eventstats groups servers based on Storage they use; mvfind() selects those servers that uses the same Storage as used by "backups". &nbsp;Then, isnull() negates the find to pick out those that do not use that storage.</P> Tue, 05 Jul 2022 23:18:26 GMT https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604508#M210270 yuanliu 2022-07-05T23:18:26Z https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604927#M210387 <P>Apologies for the delayed response, I was out of the office for a few days.&nbsp; Your example does work, thank you! I must've had a typo or something initially.</P> Fri, 08 Jul 2022 12:21:33 GMT https://community.splunk.com/t5/Splunk-Search/Make-sure-Value-from-one-specific-event-is-not-in-any-other/m-p/604927#M210387 splunk219783 2022-07-08T12:21:33Z