Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 
Ask a Question

Filter condition based on multiple events

mahesh_ravji1
Explorer
โ€Ž07-31-2014 08:11 PM

Hi There,
I have a search that outputs table data that looks like this:

Customer    Service_Name    User
Customer-123    Service-AAA User-A
Customer-123    Service-BBB User-A
Customer-123    Service-CCC User-A
Customer-123    Service-AAA User-B
Customer-123    Service-BBB User-B
Customer-123    Service-AAA User-C
Customer-123    Service-CCC User-C

I would like to filter this table so that โ€˜Service-CCCโ€™ is removed if the same user also has โ€˜Service-BBBโ€™. The โ€˜Service-CCCโ€™ should be kept if the user does not have โ€˜Service-BBBโ€™. So the filtered output should be:

Customer    Service_Name    User
Customer-123    Service-AAA User-A
Customer-123    Service-BBB User-A
Customer-123    Service-AAA User-B
Customer-123    Service-BBB User-B
Customer-123    Service-AAA User-C
Customer-123    Service-CCC User-C

Thanks in advance.

Tags (1)
Reply

somesoni2
SplunkTrust
SplunkTrust
โ€Ž08-01-2014 10:24 AM

Try this

Your base search giving Customer Service User fields | eventstats values(Service) as Services by User | eval include=if(isnotnull(mvfind(Services,"Service-BBB")) AND isnotnull(mvfind(Services,"Service-CCC")) AND Service="Service-CCC",0,1) | where include=1 | fields - include Services
Reply

mahesh_ravji1
Explorer
โ€Ž08-19-2014 03:01 PM

Thanks very much - this solved my problem ๐Ÿ™‚

0 Karma
Reply