Solved: Exclude field values from other field

marco_massari11 · ‎11-13-2020

Hi,

I have some sylog events, login failed and login success in particular. I can determine if the event is success or failed by a field (field1) which contain something like "success" or "failure". In the event I Have also a field mac_address(field2) which contain some MAC address. I need to count the number of mac address that exist in failure but nerver exist in success.

Can you help me???

Thanks in advance

somesoni2 · ‎11-13-2020

Try something like this:

index=foo  sourcetype=bar 
| stats values(field1) as status by field2
| where mvcount(status)=1 and status="failure"

View solution in original post

somesoni2 · ‎11-13-2020

Try something like this:

index=foo  sourcetype=bar 
| stats values(field1) as status by field2
| where mvcount(status)=1 and status="failure"

marco_massari11 · ‎11-14-2020

Hi somesoni2,

thank you so much for your answer, I think it's working. So the result is the list of mac address that never had a login success, right? And if I want a count of this result, what I need to add to the query?

Thank you so much

Exclude field values from other field

field extraction

index

syslog

Unlock Database Monitoring with Splunk Observability Cloud

Print, Leak, Repeat: UEBA Insider Threats You Can't Ignore

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation