Filter condition based on multiple events

mahesh_ravji1 · ‎07-31-2014

Hi There,
I have a search that outputs table data that looks like this:

Customer    Service_Name    User
Customer-123    Service-AAA User-A
Customer-123    Service-BBB User-A
Customer-123    Service-CCC User-A
Customer-123    Service-AAA User-B
Customer-123    Service-BBB User-B
Customer-123    Service-AAA User-C
Customer-123    Service-CCC User-C

I would like to filter this table so that ‘Service-CCC’ is removed if the same user also has ‘Service-BBB’. The ‘Service-CCC’ should be kept if the user does not have ‘Service-BBB’. So the filtered output should be:

Customer    Service_Name    User
Customer-123    Service-AAA User-A
Customer-123    Service-BBB User-A
Customer-123    Service-AAA User-B
Customer-123    Service-BBB User-B
Customer-123    Service-AAA User-C
Customer-123    Service-CCC User-C

Thanks in advance.

somesoni2 · ‎08-01-2014

Try this

Your base search giving Customer Service User fields | eventstats values(Service) as Services by User | eval include=if(isnotnull(mvfind(Services,"Service-BBB")) AND isnotnull(mvfind(Services,"Service-CCC")) AND Service="Service-CCC",0,1) | where include=1 | fields - include Services

mahesh_ravji1 · ‎08-19-2014

Thanks very much - this solved my problem 🙂

Filter condition based on multiple events

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Investigate Security and Threat Detection with VirusTotal and Splunk Integration