index="A" sourcetype=B action=Yes
| search NOT [ search index="A" sourcetype=B action="No" | fields User ] | stats count by User .
Here I'm trying to get user whose action is Yes. But whenever users get 'Yes' they get 'No' as well in 20% of cases at same time.
So I want those 80% users who are having action as only Yes.
Could you please help.
So, you looking for users who only received one of the two actions?
Using a subsearch has it's limits:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Useasubsearch
You could accomplish something similar with the following:
index="A" sourcetype=B action=Yes OR action=No
| stats dc(action) as action_count by User
| search action_count<2
So, you looking for users who only received one of the two actions?
Using a subsearch has it's limits:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchTutorial/Useasubsearch
You could accomplish something similar with the following:
index="A" sourcetype=B action=Yes OR action=No
| stats dc(action) as action_count by User
| search action_count<2
@kmaron ,I've tried the query posted by you. But it still gives both the users.
I mean users with both actions.
Hi kmaron,
I'm getting output but i believe the output that i'm getting is very less(less number of records) than what it should be.
If you think the results are incorrect, you can break the search down and review the data:
index="A" sourcetype=B action=Yes OR action=No
| stats dc(action) as action_count, values(action) as action, by User
Will show all the results, you can sort by action_count, action, etc.. Look for anomalous values for action.
please share the output you got
That would also give you the No people.
But changing it to
index="A" sourcetype=B action=Yes OR action=No
| stats dc(action) as action_count values(action) as action by User
| search action_count<2 AND action=Yes
Would be only Yes's.
good catch!
I've tried the query posted by you. But it still gives both the users.
When i run above query I'm getting results of both users i.e., action=Yes and action= No. I'mm not sure where this Query went wrong
Are you only going to have a single Yes and/or a single No for a user? So the most entries you would have for a single user is 2?