Re: Filter Events that show value x and y by one t...

cn250039 · ‎11-29-2021

I am searching a source that has events that have FieldA and FieldB.

I need to find which events that have specific FieldA values (x or y) AND matching FieldB values (nonspecific).

My current search is:
Index=source FieldA IN ("x", "y")

I'm not sure how to filter the results to only show the events that have matching FieldB values.

richgalloway · ‎11-29-2021

I'm not sure what is meant by "matching FieldB values", but maybe this will get you going in the right direction.

index=source  FieldA IN ("x", "y")
| where FieldA = FieldB

---
If this reply helps you, Karma would be appreciated.

cn250039 · ‎11-29-2021

i need events that have FieldA(a, b) and FieldB is the same value for the events....

event	1	2	3	4	5	6	7	8	9
field a	a	a	b	a	b	a	a	a	a
field b	1	2	1	2	3	3	4	5	6

index= source FieldA("a","b") will return all events

i want to filter it so that only events that have matching values in FieldB and the values in field a differ

so i would expect events 1, 3, 5, and 6 to return from the table above

richgalloway · ‎11-29-2021

I think I understand now. Here's how I did that.

| makeresults | eval _raw="event fieldA fieldB
1     a      1
2     a      2
3     b      1
4     a      2
5     b      3
6     a      3
7     a      4
8     a      5
9     a      6"
| multikv forceheader=1
```Everything above just creates test data```
```Count the number of events and get a list of all the fieldA's for each fieldB
| eventstats count, values(fieldA) as A_fields by fieldB
```Filter out the singletons```
| where count > 1 AND mvcount(A_fields) > 1
| table event fieldA fieldB

---
If this reply helps you, Karma would be appreciated.

cn250039 · ‎11-30-2021

did i do this wrong?:

richgalloway · ‎11-30-2021

Remove the backticks on the end of the first line.

---
If this reply helps you, Karma would be appreciated.

cn250039 · ‎11-30-2021

I did that and it resulted in 0 results. However, i know there is at least 2 events that meet the criteria, both have the same FieldB value and one has FieldA (a) and the other has FieldA (b). I am trying to see if there are any more occurrences.

richgalloway · ‎11-30-2021

Run the query one pipe at a time until it breaks. Then you'll know the problem command. At each step, verify the results are what you expect.

---
If this reply helps you, Karma would be appreciated.

cn250039 · ‎11-29-2021

but i don't know the values in FieldB prior to searching

PickleRick · ‎11-29-2021

If I understand you correctly, you want to match - for example - events having FieldA="x" and FieldB="x" as well as FieldA="y" and FieldB="y" but not FieldA="x" and FieldB="y" or vice versa, right?

FieldA IN ("x","y") FieldB IN ("x","y") | where FieldA=FieldB

cn250039 · ‎11-30-2021

i need events that have FieldA(a, b) and FieldB is the same value for the events....

event	1	2	3	4	5	6	7	8	9
field a	a	a	b	a	b	a	a	a	a
field b	1	2	1	2	3	3	4	5	6

index= source FieldA("a","b") will return all events

i want to filter it so that only events that have matching values in FieldB and the values in field a differ

so i would expect events 1, 3, 5, and 6 to return from the table above

but i do not know the values for FieldB at the time of search.

Filter Events that show value x and y by one that have matching z

eval

field extraction

lookup

stats

subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Filter Events that show value x and y by one that have matching z

Can’t make it to .conf25? Join us online!