Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filter out events based on other events WITHOUT using JOIN/Subsearch

joseftw
Explorer
‎05-29-2020 01:07 AM

I have a index named Events

Example events:

AccountCreated

{
   "AccountId": 1234,
   "EventName": "AccountCreated",
   "SomeOtherProperty": "Some value"
}

FavoriteCreated

{
   "AccountId": 1234,
   "EventName": "FavoritesCreated
}

Let's say that I have a bunch of these events, like millions.

Now, I want to create a query that returns the AccountCreated event IF 1 (or more) FavoriteCreated event exists with the same AccountId.

I've tried the following query and it works

index=events EventName=AccountCreated 
  [search index=events EventName=FavoriteCreated | dedup AccountId | fields AccountId]
| table AccountId, SomeOtherProperty

The only problem with that one is that it's using a subsearch and im hitting the 10000 results limit.

So then I tried using a JOIN instead (this also works)

index=events EventName=AccountCreated AccountId=*
   | stats count by AccountId, EventName
   | fields - count
| join AccountId 
    [ | search index=events EventName=FavoriteCreated AccountId=*
        | stats count by AccountId ]
| fields - count
| table AccountId, EventName

...but now im facing the 50K events limit (JOIN subsearch).

So, I need to be able to write the query without using JOIN and/or subsearch, do you guys have any tips?

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

joseftw
Explorer
‎06-01-2020 11:54 AM

Managed to solve it like this:

 index=events AccountId=* (EventName=AccountCreated OR EventName=FavoriteCreated)
    | stats 
        values(Brand) as Brand,
        values(DeviceType) as DeviceType,
        values(Email) as Email,
        values(EventName) as EventName
        values(EventTime) as EventTime,
        values(Locale) as Locale,
        values(ClientIp) as ClientIp
      by AccountId
    | where mvcount(EventName)>1
    | eval EventName=mvindex(EventName,0)
    | eval EventTime=mvindex(EventTime,0)
    | eval ClientIp=mvindex(ClientIp,0)
    | eval DeviceType=mvindex(DeviceType,0)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

joseftw
Explorer
‎06-01-2020 11:54 AM

Managed to solve it like this:

 index=events AccountId=* (EventName=AccountCreated OR EventName=FavoriteCreated)
    | stats 
        values(Brand) as Brand,
        values(DeviceType) as DeviceType,
        values(Email) as Email,
        values(EventName) as EventName
        values(EventTime) as EventTime,
        values(Locale) as Locale,
        values(ClientIp) as ClientIp
      by AccountId
    | where mvcount(EventName)>1
    | eval EventName=mvindex(EventName,0)
    | eval EventTime=mvindex(EventTime,0)
    | eval ClientIp=mvindex(ClientIp,0)
    | eval DeviceType=mvindex(DeviceType,0)
0 Karma
Reply
Solved! Jump to solution

sensitive-thug
Retired
‎06-01-2020 12:15 PM

Hi @joseftw,

Thanks for asking a question! If you were able to resolve this issue, please click “Accept” directly below the answer to resolve the post.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎05-30-2020 04:39 PM 
index=events (EventName=AccountCreated OR EventName=FavoriteCreated) AccountId=*
| stats estdc(EventName) as flag values(*) as * by AccountId
| where flag > 1

please modify * to appropriate field.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎05-29-2020 02:56 AM

Hi joseftw,

try something like this:

index=events (EventName=AccountCreated OR EventName=FavoriteCreated) AccountId=*
| eval EventName=case(isnotnull(EventName), EventName, 1=1, "unknown")
| stats count by AccountId, EventName
| fields - count
| table AccountId, EventName

If this does not work please modify it 😉 But you will get a starting point and should you need more help please read this post https://answers.splunk.com/answers/129424/how-to-compare-fields-over-multiple-sourcetypes-without-jo...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

joseftw
Explorer
‎05-29-2020 03:10 AM

Hello!
Thank you for your answer! I tried it but it does not work for me. It returns BOTH AccountCreated and FavoriteCreated events, I only want the query to return AccountCreated events. This is my first day with Splunk so please bare with me... 🙂

If you have time, please look at my two examples I provided (they work but are using subsearch/join). I basically want to translate one of those queries to something that does not use join/subsearch.

Thank you for your help!

0 Karma
Reply
Solved! Jump to solution

joseftw
Explorer
‎05-29-2020 03:11 AM

Basically "Return this AccountEvent IF 1 or more FavoriteCreated event exists with the same AccountId"

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...