Solved: Help with search

rodrigomarfei · ‎09-16-2021

Hey Guys, this is a continuation of the below topic:

https://community.splunk.com/t5/Splunk-Search/Search-query-to-remove-results-from-another-source/m-p...

As you can see from my question before, I thoug I only needed the last event from the same Identification - and if this was the case, the dedup would work fine - but it turns out I need all the events for that ID that comes after the DELETED message.

To get the info, I'm running the following search:

index=xpto (source= inserted OR source=deleted) data.Date="2021-08-25T00:00:00" data.Identification=11894
| sort 0 -data.Timestamp 
| fillnull value="INSERTED" data.Action 
| table id data.Action data.Identification

And it returns me the following:

id            data.Action         data.Identification
8941786c-ab05-46a7-9610-e1d5ee135df7             INSERTED            11894
7232b292-4665-416f-a867-8eac88051b5b             INSERTED            11894
901607ac-5c28-4da2-996e-4c6a6b4995f8               INSERTED            11894
2cf1ecd8-dff3-4602-8106-9877ef2d1104                DELETED               11894
b7255bf1-14a9-44f6-899f-12f83c6be6f9                 DELETED               11894
392fca7c-18b1-4953-8300-39ff9768033a                DELETED               11894
08e49dbd-f0d8-4ca0-897f-6a3ac3ee54cb              INSERTED            11894
27c05aa4-6bf0-4a7a-87bf-3d1c90774cc7                DELETED               11894

My goal and help needed is to get all the events that come after the DELETED, in this case, the first 3 events of the search(as this is sorted by Timestamp). Of course it's not always the first 3 as this may vary.

Any ideas how I can achieve that?

Thank you!

ITWhisperer · ‎09-17-2021

Try something like this

| makeresults
| eval _raw="id,dataAction,dataIdentification
8941786c-ab05-46a7-9610-e1d5ee135df7,INSERTED,11894
7232b292-4665-416f-a867-8eac88051b5b,INSERTED,11894
901607ac-5c28-4da2-996e-4c6a6b4995f8,INSERTED,11894
2cf1ecd8-dff3-4602-8106-9877ef2d1104,DELETED,11894
b7255bf1-14a9-44f6-899f-12f83c6be6f9,DELETED,11894
392fca7c-18b1-4953-8300-39ff9768033a,DELETED,11894
08e49dbd-f0d8-4ca0-897f-6a3ac3ee54cb,INSERTED,11894
27c05aa4-6bf0-4a7a-87bf-3d1c90774cc7,DELETED,11894"
| multikv forceheader=1
| table id dataAction dataIdentification



| streamstats count(eval(match(dataAction,"DELETED"))) as deletes by dataIdentification
| where deletes=0

View solution in original post

ITWhisperer · ‎09-17-2021

Try something like this

| makeresults
| eval _raw="id,dataAction,dataIdentification
8941786c-ab05-46a7-9610-e1d5ee135df7,INSERTED,11894
7232b292-4665-416f-a867-8eac88051b5b,INSERTED,11894
901607ac-5c28-4da2-996e-4c6a6b4995f8,INSERTED,11894
2cf1ecd8-dff3-4602-8106-9877ef2d1104,DELETED,11894
b7255bf1-14a9-44f6-899f-12f83c6be6f9,DELETED,11894
392fca7c-18b1-4953-8300-39ff9768033a,DELETED,11894
08e49dbd-f0d8-4ca0-897f-6a3ac3ee54cb,INSERTED,11894
27c05aa4-6bf0-4a7a-87bf-3d1c90774cc7,DELETED,11894"
| multikv forceheader=1
| table id dataAction dataIdentification



| streamstats count(eval(match(dataAction,"DELETED"))) as deletes by dataIdentification
| where deletes=0

rodrigomarfei · ‎09-17-2021

Hello @ITWhisperer,

The search works perfectly.

Thank you a lot!

Help with search

search job inspector

subsearch

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?