Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filter event data using conditions within the data

subhrangshu
Explorer
‎09-03-2020 10:37 AM

Hello,

I have some data which in the below form:

JOBEVENTTYPETIME
11A20
11B15
11C10
12A15
12B10
12C20

 

I want to filter the data only for those event which has the greater value of Type A.

So, here in my example, Event 1 has value of A=20 and Event 2 has value of A=15. So, here Event 1 has value of A greater than value of A in Event 2. So I want to see the results of Event 1 only. My result should be something like below:

JOB-NOEVENTTYPETIME
11A20
11B15
11C10

 

Thanks in advance.

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-03-2020 11:14 AM

A subsearch should do the job.  The subsearch looks for the highest value of A and returns the event number.  Then the main search returns the results with that event number.

index=foo [ index=foo TYPE="A" 
  | search TYPE="A" 
  | stats max(TIME) as MAXTIME by EVENT
  | sort - MAXTIME
  | head 1
  | return EVENT
  ]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-03-2020 11:14 AM

A subsearch should do the job.  The subsearch looks for the highest value of A and returns the event number.  Then the main search returns the results with that event number.

index=foo [ index=foo TYPE="A" 
  | search TYPE="A" 
  | stats max(TIME) as MAXTIME by EVENT
  | sort - MAXTIME
  | head 1
  | return EVENT
  ]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

subhrangshu
Explorer
‎09-03-2020 11:03 PM

Thanks @richgalloway 

Your solution works as I wanted. Just one more add on query to it, when we return EVENT, suppose I want to use the EVENT value in some other way in my main search. For example:

If event =1, then my main search should be something like index=FOO AND source=some path\1\log.txt

If event =2, then my main search should be something like index=FOO AND source=some path\2\log.txt

Basically, I want to use the event value returned into my main search with some modification as stated above.

Thanks again.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎09-04-2020 05:54 AM

That changes the subsearch slightly.

index=foo [ index=foo TYPE="A" 
  | search TYPE="A" 
  | stats max(TIME) as MAXTIME by EVENT
  | sort - MAXTIME
  | head 1
  | eval source=case(EVENT=1,"some path", EVENT=2, "some other path", 1==1, "*")
  | return source
  ]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-03-2020 10:57 AM

Hi

you can use 

<your base query>
| stats values(job) as job values(event) as event max(time) as time by type
| table job event type time

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...