Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Filter event data using conditions within the data

subhrangshu
Explorer
‎09-03-2020 10:37 AM

Hello,

I have some data which in the below form:

JOBEVENTTYPETIME
11A20
11B15
11C10
12A15
12B10
12C20

 

I want to filter the data only for those event which has the greater value of Type A.

So, here in my example, Event 1 has value of A=20 and Event 2 has value of A=15. So, here Event 1 has value of A greater than value of A in Event 2. So I want to see the results of Event 1 only. My result should be something like below:

JOB-NOEVENTTYPETIME
11A20
11B15
11C10

 

Thanks in advance.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-03-2020 11:14 AM

A subsearch should do the job.  The subsearch looks for the highest value of A and returns the event number.  Then the main search returns the results with that event number.

index=foo [ index=foo TYPE="A" 
  | search TYPE="A" 
  | stats max(TIME) as MAXTIME by EVENT
  | sort - MAXTIME
  | head 1
  | return EVENT
  ]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-03-2020 11:14 AM

A subsearch should do the job.  The subsearch looks for the highest value of A and returns the event number.  Then the main search returns the results with that event number.

index=foo [ index=foo TYPE="A" 
  | search TYPE="A" 
  | stats max(TIME) as MAXTIME by EVENT
  | sort - MAXTIME
  | head 1
  | return EVENT
  ]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

subhrangshu
Explorer
‎09-03-2020 11:03 PM

Thanks @richgalloway 

Your solution works as I wanted. Just one more add on query to it, when we return EVENT, suppose I want to use the EVENT value in some other way in my main search. For example:

If event =1, then my main search should be something like index=FOO AND source=some path\1\log.txt

If event =2, then my main search should be something like index=FOO AND source=some path\2\log.txt

Basically, I want to use the event value returned into my main search with some modification as stated above.

Thanks again.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2020 05:54 AM

That changes the subsearch slightly.

index=foo [ index=foo TYPE="A" 
  | search TYPE="A" 
  | stats max(TIME) as MAXTIME by EVENT
  | sort - MAXTIME
  | head 1
  | eval source=case(EVENT=1,"some path", EVENT=2, "some other path", 1==1, "*")
  | return source
  ]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-03-2020 10:57 AM

Hi

you can use 

<your base query>
| stats values(job) as job values(event) as event max(time) as time by type
| table job event type time

r. Ismo 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...