Splunk Cloud Platform

How to display result when two fields are dependent

Splunkerninja
Path Finder

Hi,

I want to display the result only for users who  has both ID  AR9 & AD. Below is sample data, I have about 10k results being generated with multiple values but i need to display only those users who has ID both AR9 & AD 

USER

 ID

John

AD

John

AY9

Riya

AD

Toby

AR9

Nathan

AD

Nathan

AR9

Sam

AD

Sam

AR9

 

Thanks!

 

Tags (5)
0 Karma
1 Solution

tej57
Path Finder

Hey @Splunkerninja,

I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9"

| makeresults 
| eval User="John", ID="AD" 
| append 
    [| makeresults 
    | eval User="John", ID="AY9"]
| append 
    [| makeresults 
    | eval User="Riya", ID="AD"]
| append 
    [| makeresults 
    | eval User="Toby", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AD"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AD"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AR9"]
| fields - _time
| table User ID
| stats values(ID) as ID by User
| mvcombine ID delim=""
| eval match=if(match(ID,"AD AR9"),1,0)
| search match="1"

 

Thanks,
Tejas.

---

If the above solution is helpful, an upvote is appreciated.

View solution in original post

tej57
Path Finder

Hey @Splunkerninja,

I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9"

| makeresults 
| eval User="John", ID="AD" 
| append 
    [| makeresults 
    | eval User="John", ID="AY9"]
| append 
    [| makeresults 
    | eval User="Riya", ID="AD"]
| append 
    [| makeresults 
    | eval User="Toby", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AD"]
| append 
    [| makeresults 
    | eval User="Nathan", ID="AR9"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AD"]
| append 
    [| makeresults 
    | eval User="Sam", ID="AR9"]
| fields - _time
| table User ID
| stats values(ID) as ID by User
| mvcombine ID delim=""
| eval match=if(match(ID,"AD AR9"),1,0)
| search match="1"

 

Thanks,
Tejas.

---

If the above solution is helpful, an upvote is appreciated.

Splunkerninja
Path Finder

@tej57 Thanks but how can i include _time as well in the result since after mvcombine the _time data gets dropped

0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...