Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Cloud Platform
- :
- Re: How to display result when two fields are depe...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want to display the result only for users who has both ID AR9 & AD. Below is sample data, I have about 10k results being generated with multiple values but i need to display only those users who has ID both AR9 & AD
USER | ID |
John | AD |
John | AY9 |
Riya | AD |
Toby | AR9 |
Nathan | AD |
Nathan | AR9 |
Sam | AD |
Sam | AR9 |
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @Splunkerninja,
I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9"
| makeresults
| eval User="John", ID="AD"
| append
[| makeresults
| eval User="John", ID="AY9"]
| append
[| makeresults
| eval User="Riya", ID="AD"]
| append
[| makeresults
| eval User="Toby", ID="AR9"]
| append
[| makeresults
| eval User="Nathan", ID="AD"]
| append
[| makeresults
| eval User="Nathan", ID="AR9"]
| append
[| makeresults
| eval User="Sam", ID="AD"]
| append
[| makeresults
| eval User="Sam", ID="AR9"]
| fields - _time
| table User ID
| stats values(ID) as ID by User
| mvcombine ID delim=""
| eval match=if(match(ID,"AD AR9"),1,0)
| search match="1"
Thanks,
Tejas.
---
If the above solution is helpful, an upvote is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @Splunkerninja,
I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9"
| makeresults
| eval User="John", ID="AD"
| append
[| makeresults
| eval User="John", ID="AY9"]
| append
[| makeresults
| eval User="Riya", ID="AD"]
| append
[| makeresults
| eval User="Toby", ID="AR9"]
| append
[| makeresults
| eval User="Nathan", ID="AD"]
| append
[| makeresults
| eval User="Nathan", ID="AR9"]
| append
[| makeresults
| eval User="Sam", ID="AD"]
| append
[| makeresults
| eval User="Sam", ID="AR9"]
| fields - _time
| table User ID
| stats values(ID) as ID by User
| mvcombine ID delim=""
| eval match=if(match(ID,"AD AR9"),1,0)
| search match="1"
Thanks,
Tejas.
---
If the above solution is helpful, an upvote is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@tej57 Thanks but how can i include _time as well in the result since after mvcombine the _time data gets dropped
Aligning Observability Costs with Business Value: Practical Strategies
Mastering Data Pipelines: Unlocking Value with Splunk
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
