Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Comparing results to identify values that have a certain value in previous records

Blueochotona
Engager
‎03-28-2025 05:24 AM

The two raw results are as follows : 

(1)

EventType="Device" Event="InstallProfileConfirmed" User="sysadmin" EnrollmentUser="hasubram" DeviceFriendlyName="blabla MacBook Air macOS 15.3.2 Q6LW" EventSource="Device" EventModule="Devices" EventCategory="Command" EventData="Profile=Apple macOS Apple Intelligence Restrictions" Event Timestamp: Mar 28 09:29:40

(2)

EventType="Device" Event="DeviceOperatingSystemChanged" User="sysadmin" EnrollmentUser="hasubram" DeviceFriendlyName="blabla MacBook Air macOS 15.3.2 Q6LW" EventSource="Device" EventModule="Devices" EventCategory="Assignment" EventData="Device=75639" Event Timestamp: Mar 28 09:29:29

Hoping to combine a search to identify (1)‘s DeviceFriendlyName="blabla MacBook Air macOS 15.3.2 Q6LW" which is a shared key between two results , as long (2) happens before (1) from a chronological experience.

I am already using the following to try and exclude certain results too : 

Index=*** <<Search Parameters>> NOT  DeviceFriendlyName IN (*15.3.0*,*15.3.1*)

 

Thank you 🙂

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-28-2025 06:14 AM

Hi @Blueochotona 

Have a look at the following, does this achieve what you're looking for?

index=*** <<Search Parameters>> NOT DeviceFriendlyName IN (*15.3.0*,*15.3.1*)
(
    (EventType="Device" Event="DeviceOperatingSystemChanged")
    OR
    (EventType="Device" Event="InstallProfileConfirmed")
)
| eval {Event}_time=_time
| stats
    latest(*_time) as *_time
    values(Event) as events by DeviceFriendlyName
    
| where MATCH(events, "DeviceOperatingSystemChanged") AND MATCH(events, "InstallProfileConfirmed") AND DeviceOperatingSystemChanged_time < InstallProfileConfirmed_time

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-28-2025 06:25 AM

Here is a working example using makeresults too

| makeresults 
| eval _raw="EventType=\"Device\" Event=\"InstallProfileConfirmed\" User=\"sysadmin\" EnrollmentUser=\"hasubram\" DeviceFriendlyName=\"blabla MacBook Air macOS 15.3.2 Q6LW\" EventSource=\"Device\" EventModule=\"Devices\" EventCategory=\"Command\" EventData=\"Profile=Apple macOS Apple Intelligence Restrictions\" Event Timestamp: Mar 28 09:29:40" 
| append 
    [| makeresults 
    | eval _raw="EventType=\"Device\" Event=\"DeviceOperatingSystemChanged\" User=\"sysadmin\" EnrollmentUser=\"hasubram\" DeviceFriendlyName=\"blabla MacBook Air macOS 15.3.2 Q6LW\" EventSource=\"Device\" EventModule=\"Devices\" EventCategory=\"Assignment\" EventData=\"Device=75639\" Event Timestamp: Mar 28 09:29:29"] 
    | kv
| rex field=_raw "Event Timestamp: (?<EventTime>.+)$"    
| eval _time=strptime(EventTime, "%b %d %H:%M:%S")
| search DeviceFriendlyName="blabla MacBook Air macOS 15.3.2 Q6LW"
| eval {Event}_time=_time
| stats
    latest(*_time) as *_time
    values(Event) as events by DeviceFriendlyName
    
| where MATCH(events, "DeviceOperatingSystemChanged") AND MATCH(events, "InstallProfileConfirmed") AND DeviceOperatingSystemChanged_time < InstallProfileConfirmed_time

livehybrid_0-1743168301777.png

 

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply

Blueochotona
Engager
‎03-28-2025 06:56 AM

Very kewl 🙂 

Thank you 🙂 Will give it a shot for sure ! 

Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-28-2025 08:22 AM

Excellent, let us know how you get on 🙂

Will

0 Karma
Reply
Get Updates on the Splunk Community!

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...