https://community.splunk.com/t5/Splunk-Search/How-to-filter-on-multiple-events/m-p/613579#M213248 <P>Yes thank you for your help. This is what i made of it.<BR /><BR /></P><LI-CODE lang="markup">.. | stats first(hst) as host by code type | eventstats c as total by code | where (type="master") OR (total=1 and type="host") | table host code type</LI-CODE><P>&nbsp;</P> Mon, 19 Sep 2022 10:28:10 GMT harryvdtol 2022-09-19T10:28:10Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-on-multiple-events/m-p/613567#M213245 <P>Hello,</P> <P>I have a search that outputs table data that looks like this:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">hst code type hosta 01 master hosta 02 master hostb 01 host hostb 03 host hostc 02 host hostd 04 host hoste 05 master hoste 06 master hostf 06 host hostg 08 host</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>etc.etc...</P> <P>I am trying to filter events but i am unable to do.</P> <P>My goal is to filter events based on this condition:<BR /><EM>If the code on a master also exist on the host, then the host rows should be removed</EM></P> <P>So, my desired output should look like this:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">hst code type hosta 01 master hosta 02 master hostb 03 host hostd 04 host hoste 05 master hoste 06 master hostg 08 host</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>I hope someone can help me.<BR />Thanks in advance.</P> <P>Regards,</P> <P>Harry</P> Mon, 19 Sep 2022 15:42:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-on-multiple-events/m-p/613567#M213245 harryvdtol 2022-09-19T15:42:01Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-on-multiple-events/m-p/613568#M213246 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241379">@harryvdtol</a>,</P><P>please try something like this:</P><LI-CODE lang="markup">&lt;your_search&gt; | stats first(host) AS host BY code type | table host code type</LI-CODE><P>Ciao.</P><P>Giuseppe</P><P>&nbsp;</P> Mon, 19 Sep 2022 08:48:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-on-multiple-events/m-p/613568#M213246 gcusello 2022-09-19T08:48:02Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-on-multiple-events/m-p/613579#M213248 <P>Yes thank you for your help. This is what i made of it.<BR /><BR /></P><LI-CODE lang="markup">.. | stats first(hst) as host by code type | eventstats c as total by code | where (type="master") OR (total=1 and type="host") | table host code type</LI-CODE><P>&nbsp;</P> Mon, 19 Sep 2022 10:28:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-on-multiple-events/m-p/613579#M213248 harryvdtol 2022-09-19T10:28:10Z https://community.splunk.com/t5/Splunk-Search/How-to-filter-on-multiple-events/m-p/613585#M213250 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/241379">@harryvdtol</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Mon, 19 Sep 2022 11:03:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-filter-on-multiple-events/m-p/613585#M213250 gcusello 2022-09-19T11:03:44Z