https://community.splunk.com/t5/Splunk-Search/How-to-search-the-event-log-based-on-a-parameter-value-from/m-p/653476#M225819 <P>Assuming you have extracted the isTrue and transactionID fields</P><LI-CODE lang="markup">| eventstats values(isTrue) as isTrue by transactionID | where isTrue==1</LI-CODE> Mon, 07 Aug 2023 22:01:58 GMT ITWhisperer 2023-08-07T22:01:58Z https://community.splunk.com/t5/Splunk-Search/How-to-search-the-event-log-based-on-a-parameter-value-from/m-p/653463#M225816 <P>We would like to have the search results based on the following criteria. We have records in the event log with the following values</P> <P>transactionID: abc | is_true: 1 | eventType: main | other_attributes_data</P> <P>transactionID: abc | eventType: event-A | other_attributes_data</P> <P>transactionID: abc | eventType: event-C | other_attributes_data</P> <P>transactionID: abc | eventType: event-F | other_attributes_data</P> <P>transactionID: def | is_true: 0 | eventType: main | other_attributes_data</P> <P>transactionID: def | eventType: event-B | other_attributes_data</P> <P>transactionID: def | eventType: event-C | other_attributes_data</P> <P>transactionID: def | eventType: event-E | other_attributes_data</P> <P>We basically want a search string, that identifies the "main" event records whose is_true value is "1". Once that is done, then we want all the events that are associated to the same "transactionID".&nbsp;</P> <P>In this example, since "transactionID: abc" has the main event, whose is_true value is 1, then we would like to list all the events associated to that particular transactionID.&nbsp;</P> <P>The output for the query ranswer for the query will be something like</P> <P>transactionID: abc | eventType: main | other_attributes_data</P> <P>transactionID: abc | eventType: event-A | other_attributes_data</P> <P>transactionID: abc | eventType: event-C | other_attributes_data</P> <P>transactionID: abc | eventType: event-F | other_attributes_data</P> <P>&nbsp;</P> <P>The "transactionID: def" records will not be coming back in the search results, as the corresponding main event has is_true value of "0".</P> <P>How can we write such query?</P> <P>Appreciate the response. Thanks,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 08 Aug 2023 16:33:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-event-log-based-on-a-parameter-value-from/m-p/653463#M225816 vijayaxyz 2023-08-08T16:33:28Z https://community.splunk.com/t5/Splunk-Search/How-to-search-the-event-log-based-on-a-parameter-value-from/m-p/653476#M225819 <P>Assuming you have extracted the isTrue and transactionID fields</P><LI-CODE lang="markup">| eventstats values(isTrue) as isTrue by transactionID | where isTrue==1</LI-CODE> Mon, 07 Aug 2023 22:01:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-event-log-based-on-a-parameter-value-from/m-p/653476#M225819 ITWhisperer 2023-08-07T22:01:58Z https://community.splunk.com/t5/Splunk-Search/How-to-search-the-event-log-based-on-a-parameter-value-from/m-p/653583#M225858 <P>Thanks. That worked.</P> Tue, 08 Aug 2023 15:03:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-the-event-log-based-on-a-parameter-value-from/m-p/653583#M225858 vijayaxyz 2023-08-08T15:03:00Z