Solved: Exclude field values from other field

marco_massari11 · ‎11-13-2020

Hi,

I have some sylog events, login failed and login success in particular. I can determine if the event is success or failed by a field (field1) which contain something like "success" or "failure". In the event I Have also a field mac_address(field2) which contain some MAC address. I need to count the number of mac address that exist in failure but nerver exist in success.

Can you help me???

Thanks in advance

somesoni2 · ‎11-13-2020

Try something like this:

index=foo  sourcetype=bar 
| stats values(field1) as status by field2
| where mvcount(status)=1 and status="failure"

View solution in original post

somesoni2 · ‎11-13-2020

Try something like this:

index=foo  sourcetype=bar 
| stats values(field1) as status by field2
| where mvcount(status)=1 and status="failure"

marco_massari11 · ‎11-14-2020

Hi somesoni2,

thank you so much for your answer, I think it's working. So the result is the list of mac address that never had a login success, right? And if I want a count of this result, what I need to add to the query?

Thank you so much

Exclude field values from other field

field extraction

index

syslog

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation