https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225644#M66542 <P>Say I have two searches on data sets which contain four fields [field1, field2, field3, field4], e.g.<BR /><BR /> [1,20,am,a]<BR /> [1,20,am,b] <BR /> [1,20,pm,b]<BR /> [1,20,pm,c]</P> <P>Search 1: field1 = 1, field2 = 20, field3 = am will return [1,20,am,a] and [1,20,am,b]<BR /> Search 2: field1 = 1, field2 = 20, field3 = pm will return [1,20,pm, b] and [1,20,pm,c]</P> <P>Yet I'm interested in field4 and those events with values of field4 exclusively in my first search, i.e. [1,2,am,a] in this case since field4=b is also presented in second search.</P> <P>What would be an efficient way to do so? Thanks a lot!</P> Wed, 22 Jun 2016 23:16:17 GMT FallMonkey 2016-06-22T23:16:17Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225644#M66542 <P>Say I have two searches on data sets which contain four fields [field1, field2, field3, field4], e.g.<BR /><BR /> [1,20,am,a]<BR /> [1,20,am,b] <BR /> [1,20,pm,b]<BR /> [1,20,pm,c]</P> <P>Search 1: field1 = 1, field2 = 20, field3 = am will return [1,20,am,a] and [1,20,am,b]<BR /> Search 2: field1 = 1, field2 = 20, field3 = pm will return [1,20,pm, b] and [1,20,pm,c]</P> <P>Yet I'm interested in field4 and those events with values of field4 exclusively in my first search, i.e. [1,2,am,a] in this case since field4=b is also presented in second search.</P> <P>What would be an efficient way to do so? Thanks a lot!</P> Wed, 22 Jun 2016 23:16:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225644#M66542 FallMonkey 2016-06-22T23:16:17Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225645#M66543 <P>Can you try to clarify a little bit more of what you're looking for here? I don't see field4 mentioned in either of your searches </P> Thu, 23 Jun 2016 01:55:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225645#M66543 ryanoconnor 2016-06-23T01:55:01Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225646#M66544 <P>Thanks for the reply! </P> <P>Yes field4 is not listed as my search keyword but it's inside the event/data sets. One event actually contains much more fields but the ones I listed are most interesting for me. Please lemme know if you need more information.</P> Thu, 23 Jun 2016 02:52:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225646#M66544 FallMonkey 2016-06-23T02:52:35Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225647#M66545 <P>You have not been clear at all. Please start over, show us COMPLETE sample events and then desired final output.</P> Thu, 23 Jun 2016 06:42:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225647#M66545 woodcock 2016-06-23T06:42:44Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225648#M66546 <P>Sorry for not being clear. I've edited my question with more concrete samples for your information.</P> Thu, 23 Jun 2016 07:15:32 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225648#M66546 FallMonkey 2016-06-23T07:15:32Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225649#M66547 <P>You have made a minor adjustment to YOUR plan (not working) and ignored MY plan (which would have gotten you an answer instead of snark). Let me take a stab and you tell me if I am guessing anything remotely close (I am a nerd, not a mind reader):</P> <P>I am interested in taking running a search where I specify values for 3 fields and extracting from that search the values of a 4th field. I would then like to use those values to drive another search.</P> <P>In the case of the example data above, the first search is <CODE>1: field1 = 1, field2 = 20, field3 = am</CODE> and will return <CODE>[1,20,am,a] and [1,20,am,b]</CODE><BR /> These events with values <CODE>a</CODE> and <CODE>b</CODE> for field <CODE>field4</CODE>. Now I would like to use those values to drive another search like this: <CODE>field1 = 1, field2 = 20, field3 = pm (field4=b OR field4=c)</CODE> which would return <CODE>[1,20,pm, b]</CODE>.</P> <P>How can I do this all in a single search?</P> <P>See how I gave specific final desired output? I know that my guess is probably wrong, but why are you making us guess?</P> Thu, 23 Jun 2016 17:47:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225649#M66547 woodcock 2016-06-23T17:47:24Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225650#M66548 <P>Thanks a lot for the comment. Again sorry for the confusion caused here.</P> <P>I wish to run two similar searches first, as shown above. Then in the results there will be some events with same value of field4 between two search results.</P> <P>From there I wish to run another search/filtering on complete dataset, to get rid of those events with values of field4 that show up in my 2nd search. Therefore [1,20,am,b] and [1,20,pm,b] are taken out because field4=b is in my 2nd search, as well as [1,20,pm,c]. Clearly I need first two searches to identify how values of field4 are distributed between two searches, so that I could start filter.</P> <P>Then my question is how I can do all of this in one line. Please lemme know if something is still unclear.</P> Thu, 23 Jun 2016 18:02:28 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225650#M66548 FallMonkey 2016-06-23T18:02:28Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225651#M66549 <P>Try this</P> <PRE><CODE>"Your search1" | join type=outer field4 [search "your search2"] </CODE></PRE> Thu, 23 Jun 2016 18:13:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225651#M66549 diogofgm 2016-06-23T18:13:34Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225652#M66550 <P>Like this:</P> <PRE><CODE>index=YourIndexHere sourcetype=YourSourcetypeHere field1 = "1" field2 = "20" (field3 = "am" OR field3 = "pm") | stats dc(field3) AS numSources values(*) AS * BY field4 </CODE></PRE> <P>You now have a fully joined set:<BR /> For left Join, add this:</P> <PRE><CODE> | search field3="am" AND numSources&gt;1 </CODE></PRE> <P>For right join, add this:</P> <PRE><CODE> | search field3="pm" AND numSources&gt;1 </CODE></PRE> <P>For inner join, add this:</P> <PRE><CODE>| search numSources&gt;1 </CODE></PRE> <P>For outer join, add this:</P> <PRE><CODE>| search numSources=1 </CODE></PRE> Thu, 23 Jun 2016 18:45:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-events-based-on-certain-field-and-its/m-p/225652#M66550 woodcock 2016-06-23T18:45:42Z