Splunk Cloud Platform

How to display result when two fields are dependent

Splunkerninja
Path Finder

Hi,

I want to display the result only for users who  has both ID  AR9 & AD. Below is sample data, I have about 10k results being generated with multiple values but i need to display only those users who has ID both AR9 & AD 

USER

 ID

John

AD

John

AY9

Riya

AD

Toby

AR9

Nathan

AD

Nathan

AR9

Sam

AD

Sam

AR9

 

Thanks!

 

Tags (5)
0 Karma
1 Solution

tej57
Path Finder

Hey @Splunkerninja,

I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9"

| makeresults 
| eval User="John", ID="AD" 
| append 
    [| makeresults 
    | eval User="John", ID="AY9"]
| append 
    [| makeresults 
    | eval User="Riya", ID="AD"]
| append 
    [| makeresults 
    | eval User="Toby", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AD"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AD"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AR9"]
| fields - _time
| table User ID
| stats values(ID) as ID by User
| mvcombine ID delim=""
| eval match=if(match(ID,"AD AR9"),1,0)
| search match="1"

 

Thanks,
Tejas.

---

If the above solution is helpful, an upvote is appreciated.

View solution in original post

tej57
Path Finder

Hey @Splunkerninja,

I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9"

| makeresults 
| eval User="John", ID="AD" 
| append 
    [| makeresults 
    | eval User="John", ID="AY9"]
| append 
    [| makeresults 
    | eval User="Riya", ID="AD"]
| append 
    [| makeresults 
    | eval User="Toby", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AD"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AD"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AR9"]
| fields - _time
| table User ID
| stats values(ID) as ID by User
| mvcombine ID delim=""
| eval match=if(match(ID,"AD AR9"),1,0)
| search match="1"

 

Thanks,
Tejas.

---

If the above solution is helpful, an upvote is appreciated.

Splunkerninja
Path Finder

@tej57 Thanks but how can i include _time as well in the result since after mvcombine the _time data gets dropped

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...