Splunk Cloud Platform
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display result when two fields are dependent

Splunkerninja
Path Finder
‎11-29-2023 04:01 AM

Hi,

I want to display the result only for users who  has both ID  AR9 & AD. Below is sample data, I have about 10k results being generated with multiple values but i need to display only those users who has ID both AR9 & AD 

USER

 ID

John

AD

John

AY9

Riya

AD

Toby

AR9

Nathan

AD

Nathan

AR9

Sam

AD

Sam

AR9

 

Thanks!

 

Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tej57
Builder
‎11-29-2023 04:32 AM

Hey @Splunkerninja,

I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9"

| makeresults 
| eval User="John", ID="AD" 
| append 
    [| makeresults 
    | eval User="John", ID="AY9"]
| append 
    [| makeresults 
    | eval User="Riya", ID="AD"]
| append 
    [| makeresults 
    | eval User="Toby", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AD"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AD"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AR9"]
| fields - _time
| table User ID
| stats values(ID) as ID by User
| mvcombine ID delim=""
| eval match=if(match(ID,"AD AR9"),1,0)
| search match="1"

 

Thanks,
Tejas.

---

If the above solution is helpful, an upvote is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

tej57
Builder
‎11-29-2023 04:32 AM

Hey @Splunkerninja,

I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9"

| makeresults 
| eval User="John", ID="AD" 
| append 
    [| makeresults 
    | eval User="John", ID="AY9"]
| append 
    [| makeresults 
    | eval User="Riya", ID="AD"]
| append 
    [| makeresults 
    | eval User="Toby", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AD"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AD"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AR9"]
| fields - _time
| table User ID
| stats values(ID) as ID by User
| mvcombine ID delim=""
| eval match=if(match(ID,"AD AR9"),1,0)
| search match="1"

 

Thanks,
Tejas.

---

If the above solution is helpful, an upvote is appreciated.

Reply
Solved! Jump to solution

Splunkerninja
Path Finder
‎11-29-2023 05:46 AM

@tej57 Thanks but how can i include _time as well in the result since after mvcombine the _time data gets dropped

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...