Splunk Search

Match events in search by fields

Ponczi1
Explorer

Hello
I have a serach that gives me back two types of events. event A with field r_code and some other fields while event B with a field s_code. I want to list only Events A that can be matched by field r_code with Events B s_code field (meaning that if there is no event B that has s_code matching some Event A r_code then Event A should not be listed.

| from datamodel ABC.Perf |where isnotnull(s_code) OR isnotnull(r_code) |where ???
Tags (1)
0 Karma
1 Solution

cmerriman
Super Champion

you could try something like this:

....|eval joiner="x"| selfjoin joiner |where r_code=s_code|fields - joiner

https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchReference/Selfjoin

View solution in original post

cmerriman
Super Champion

you could try something like this:

....|eval joiner="x"| selfjoin joiner |where r_code=s_code|fields - joiner

https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchReference/Selfjoin

mayurr98
Super Champion

try this run anywhere search

| makeresults | eval event_A="1 2 3 4 5 6 7 8 9 10" | makemv event_A | mvexpand event_A | appendcols [| makeresults | eval event_B="8 2 5 9 11 64 66 7755 33 10" | makemv event_B | mvexpand event_B] | where event_A=event_B

If this does not work then provide r_code and s_code sample input data and provide what output you want.

let me know if this helps!

0 Karma

Ponczi1
Explorer

Ok, so the data is structured more like

_time | r_code    | s_code     | info
xxxxx | 12        |  null      | asd1
xxxxx | null      |  12        | null
xxxxx | 13        |  null      | asd2
xxxxx | 14        |  null      | asd3
xxxxx | null      |  14        | null

So i want to remove event with r_code=13 since there is no event with s_code=13

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...