https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-that-has-appeared-as-the-value/m-p/11815#M838 <P>I have a simple case where I want to see if the value of one field has shown up as the value of another field.</P> <PRE><CODE>rec=dns a=3.4.2.3 rec=dns a=5.1.2.3 rec=tcpsession server=5.1.2.3 rec=tcpsession server=3.4.2.3 rec=tcpsession server=6.3.2.4 rec=tcpsession server=5.6.7.8 </CODE></PRE> <P>intended search: (show me rec=tcpsession events in which server=(some value that has shown up as the value of "a" in a "rec=dns" event)</P> <P>intended results: rec=tcpsession server=5.1.2.3 rec=tcpsession server=3.4.2.3</P> <P>transaction seems to be one way, but i'm looking for a simpler search structure that doesn't require rex.</P> Tue, 20 Apr 2010 05:51:59 GMT the_wolverine 2010-04-20T05:51:59Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-that-has-appeared-as-the-value/m-p/11815#M838 <P>I have a simple case where I want to see if the value of one field has shown up as the value of another field.</P> <PRE><CODE>rec=dns a=3.4.2.3 rec=dns a=5.1.2.3 rec=tcpsession server=5.1.2.3 rec=tcpsession server=3.4.2.3 rec=tcpsession server=6.3.2.4 rec=tcpsession server=5.6.7.8 </CODE></PRE> <P>intended search: (show me rec=tcpsession events in which server=(some value that has shown up as the value of "a" in a "rec=dns" event)</P> <P>intended results: rec=tcpsession server=5.1.2.3 rec=tcpsession server=3.4.2.3</P> <P>transaction seems to be one way, but i'm looking for a simpler search structure that doesn't require rex.</P> Tue, 20 Apr 2010 05:51:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-that-has-appeared-as-the-value/m-p/11815#M838 the_wolverine 2010-04-20T05:51:59Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-that-has-appeared-as-the-value/m-p/11816#M839 <P>You should use subsearch:</P> <PRE><CODE>rec=tcpsession [ search rec=dns | dedup a | fields a | rename a as server ] </CODE></PRE> <P>This will work for the number of distinct values of <CODE>a</CODE> up to the limit of the <CODE>format</CODE> command, which by default is 100.</P> Tue, 20 Apr 2010 06:51:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-that-has-appeared-as-the-value/m-p/11816#M839 gkanapathy 2010-04-20T06:51:43Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-that-has-appeared-as-the-value/m-p/11817#M840 <P>If the limits of the subsearch are an issue you can do a similar thing just with stats. There's probably a less heavyhanded way to do this and still use stats, but if you really just want the list of servers at the end of the day, this will do it too: </P> <P>rename a as server | stats values(rec) as multi_valued_rec by server | where multi_valued_rec="dns" </P> <P>rename the a values to server. We do this so we can end up with uniform 'server' fields in the results. Then our stats can do a 'by server', so we'll end up with one ip address per row, and a multivalued field called 'multivalued_rec'. Where (and even stats itself) are perfectly capable of dealing with multivalued fields so we just filter the ip list with a where clause and there you go. </P> Fri, 23 Apr 2010 13:14:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-that-has-appeared-as-the-value/m-p/11817#M840 sideview 2010-04-23T13:14:08Z https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-that-has-appeared-as-the-value/m-p/11818#M841 <P>probably want <CODE>... | where multi_valued_rec="dns" AND multi_valued_rec="tcpsession"</CODE> at the end in this case. and just to be explicit, the initial search term before the rename would be <CODE>rec=dns OR rec=tcpsession | ...</CODE></P> Fri, 23 Apr 2010 13:25:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-for-a-field-value-that-has-appeared-as-the-value/m-p/11818#M841 gkanapathy 2010-04-23T13:25:22Z