https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693712#M235993 <P>Hi Team,</P><P>i have a search that query's for 4 IN conditions and then list them. The search works fine but i need help with one request. I only want to display the events that fulfill all 4 conditions within the IN statement:</P><P>Search:</P><P>index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$<BR />| stats count by src_user,src_ip,RelativeTargetName,host_fqdn<BR />| stats list(RelativeTargetName) by src_ip, src_user,host_fqdn</P><P>Table:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk_question.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31812iDEA5B6A108745A2F/image-size/large?v=v2&amp;px=999" role="button" title="splunk_question.png" alt="splunk_question.png" /></span></P><P>So in only want to see the events that match all 4 RelativeTargetNames not the one that matches only one.</P><P>&nbsp;</P><P>Any help would be appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 18 Jul 2024 10:15:52 GMT DanielAmlung 2024-07-18T10:15:52Z https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693712#M235993 <P>Hi Team,</P><P>i have a search that query's for 4 IN conditions and then list them. The search works fine but i need help with one request. I only want to display the events that fulfill all 4 conditions within the IN statement:</P><P>Search:</P><P>index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$<BR />| stats count by src_user,src_ip,RelativeTargetName,host_fqdn<BR />| stats list(RelativeTargetName) by src_ip, src_user,host_fqdn</P><P>Table:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="splunk_question.png" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/31812iDEA5B6A108745A2F/image-size/large?v=v2&amp;px=999" role="button" title="splunk_question.png" alt="splunk_question.png" /></span></P><P>So in only want to see the events that match all 4 RelativeTargetNames not the one that matches only one.</P><P>&nbsp;</P><P>Any help would be appreciated <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 18 Jul 2024 10:15:52 GMT https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693712#M235993 DanielAmlung 2024-07-18T10:15:52Z https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693719#M235995 <P>hi<BR /><BR />have you tried mvexpand&nbsp;<SPAN>list(RelativeTargetName)</SPAN></P> Thu, 18 Jul 2024 10:47:28 GMT https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693719#M235995 sintjm 2024-07-18T10:47:28Z https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693722#M235997 <P>Hi, thanks for the answer, but i don't want to expand the multi value field. So this is not what iam looking for</P> Thu, 18 Jul 2024 10:57:34 GMT https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693722#M235997 DanielAmlung 2024-07-18T10:57:34Z https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693723#M235998 <LI-CODE lang="markup">| stats list(RelativeTargetName) as RelativeTargetName by src_ip, src_user,host_fqdn | where mvcount(RelativeTargetName) = 4</LI-CODE> Thu, 18 Jul 2024 11:01:45 GMT https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693723#M235998 ITWhisperer 2024-07-18T11:01:45Z https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693726#M236000 <P>As an additional hint, you could add your all four search term literally to limit the initial search results for a bit of a performance boost.</P><PRE>index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$ samr lsarpc srvsvc winreg<BR />| stats count by src_user,src_ip,RelativeTargetName,host_fqdn<BR />| stats list(RelativeTargetName) by src_ip, src_user,host_fqdn</PRE><P>But whether this is significantly beneficial you'd have to see the job inspect page.</P><P>Another way to limit your results (as opposed to <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a> 's solution which works on the summarized data) would be to add all four values explicitly as field values, not with the IN clause.</P><PRE>index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName=samr, RelativeTargetName=lsarpc RelativeTargetName=srvsvc RelativeTargetName=winreg src_user!=*$ <BR /><BR /></PRE> Thu, 18 Jul 2024 11:08:34 GMT https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693726#M236000 PickleRick 2024-07-18T11:08:34Z https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693727#M236001 <P>Thanks for pointing me in the right direction. I slightly modified the search and it now works:</P><P>&nbsp;</P><P>index=wineventlog EventCode=5145 file_name="\\\\*\\IPC$" RelativeTargetName IN (samr,lsarpc,srvsvc,winreg) src_user!=*$<BR />| stats count by src_user,src_ip,RelativeTargetName,host_fqdn<BR />| stats list(RelativeTargetName) as all by src_ip, src_user,host_fqdn<BR />| where mvcount(all) = 4</P> Thu, 18 Jul 2024 11:15:43 GMT https://community.splunk.com/t5/Splunk-Search/Display-only-events-that-fulfill-all-IN-conditions/m-p/693727#M236001 DanielAmlung 2024-07-18T11:15:43Z