Solved: Re: How to extract only the values that has the sa...

danielgp89 · ‎01-18-2019

Hello!

I have events from two different fields that are correlate each other by the time.

So I want to make a table extracting only those values that were generate at the same time from a range of time of one day.

For example in the table below, there are two values that has the same time:

How can I extract the events that only has the same timestamp from those two fields (MSGNUM=SVM4000I and SVM4874I)

renjith_nair · ‎01-18-2019

@danielgp89,

Try this and verify if its working for you

"your base search"|eventstats dc(MSGNUM) as c by _time|where c>1

This should result only those events which has at least 2 MSGNUM values of same time

Happy Splunking!

renjith_nair · ‎01-18-2019

@danielgp89,

Try this and verify if its working for you

"your base search"|eventstats dc(MSGNUM) as c by _time|where c>1

This should result only those events which has at least 2 MSGNUM values of same time

Happy Splunking!

danielgp89 · ‎01-20-2019

Thanks so much Renjith!

Your going to heaven!

How to extract only the values that has the same timestamp from two different fields in a range of time PLEASE HELP ME!!!