https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250064#M74647 <P>How about this</P> <PRE><CODE>index=foo sourcetype=bar EventCode=4624 Logon_Type=2 OR Logon_Type=10 | stats values(Logon_Type) as Logon_Types by host | where mvcount(Logon_Types)=2 </CODE></PRE> Mon, 23 Jan 2017 17:17:34 GMT somesoni2 2017-01-23T17:17:34Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250062#M74645 <P>Hi guys,</P> <P>I'm trying to do a search that would return results only for a combination of 2 events. I'm specifically looking for successful logins <CODE>EventCode=4624</CODE> and only show results if for the host has had both interactive <CODE>Logon_Type=2</CODE> and remote <CODE>Logon_Type=10</CODE> logins. I tried my luck with <CODE>transaction</CODE> and <CODE>dedup</CODE> but to no luck. Any suggestions?</P> <P>Example:</P> <PRE><CODE>Host 1 Login, Remote Host 2 Login, Remote Host 2 Login, Remote Host 1 Login, Interactive Host 3 Login, Interactive Host 4 Login, Remote Host 4 Login, Interactive </CODE></PRE> <P>This would ideally just return info on Host 1 and Host 4 because they have both interactive and remote logons, while Host 2 has only remote and Host 3 has only interactive.</P> <P>Ideally the result would be just a table of hosts and possibly timestamps of the logins.</P> Mon, 23 Jan 2017 15:52:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250062#M74645 kalik 2017-01-23T15:52:01Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250063#M74646 <P>Hi kalik, </P> <P>I think you can use the <STRONG>mvcombine</STRONG> command to combine different login values pertaining to the same host into a single multivalue field. Assuming login is your field name, you can use the following example: </P> <PRE><CODE>... | mvcombine delim=";" login </CODE></PRE> <P>After that, you can easily search for the multivalue login field for your login type and return the hostnames properly. </P> <P>Hope this helps. Thanks!<BR /> Hunter</P> Mon, 23 Jan 2017 17:11:01 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250063#M74646 hunters_splunk 2017-01-23T17:11:01Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250064#M74647 <P>How about this</P> <PRE><CODE>index=foo sourcetype=bar EventCode=4624 Logon_Type=2 OR Logon_Type=10 | stats values(Logon_Type) as Logon_Types by host | where mvcount(Logon_Types)=2 </CODE></PRE> Mon, 23 Jan 2017 17:17:34 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250064#M74647 somesoni2 2017-01-23T17:17:34Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250065#M74648 <P>Thanks a lot somesoni2, that worked exactly like I wanted it to do, and such a simple and elegant solution too! Thanks again!</P> Tue, 24 Jan 2017 12:04:48 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250065#M74648 kalik 2017-01-24T12:04:48Z https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250066#M74649 <P>Thanks Hunter, that didn't exactly worked the way I wanted it to, but thank you for the suggestion!</P> Tue, 24 Jan 2017 12:05:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-display-results-only-for-a/m-p/250066#M74649 kalik 2017-01-24T12:05:26Z