Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I filter all events on one field by a value in another field?

DATT
Path Finder
‎07-30-2024 04:24 PM

We pull weekly vulnerability reports from Splunk associated with our Qualys data.  I am trying to filter out all records associated with a hostname if the status field equals "Fixed".

The data for a couple hosts might look like this:

 

DateHostStatus
2024-07-22host1NEW
2024-07-22host2NEW
2024-07-23host1ACTIVE
2024-07-23host2ACTIVE
2024-07-24host1ACTIVE
2024-07-24host2ACTIVE
2024-07-25host1FIXED
2024-07-25host2ACTIVE
2024-07-26host2ACTIVE
2024-07-27host2ACTIVE
2024-07-28host2ACTIVE
2024-07-29host2ACTIVE

 

Both host1 and host2 discover a new vulnerability on 7-22.  On 7-23, the status for both flip to "ACTIVE".  On 7-25, however, host1 is now showing a FIXED status. Host2 remains vulnerable through the remaining date range of the report.

Since host1 fixed the vulnerability during the timeframe, how could I go about removing all host1 events based on the status field being equal to "Fixed" on the most recent data pull?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎07-30-2024 06:06 PM

My apologies for not reading the question carefully.  eventstats is your friend.

 

| eventstats values(Status) by Host
| where NOT "FIXED" IN ('values(Status)')
| fields - "values(Status)"

 

Here, I am breaking out of my usual pattern to use a semantic filter.  For economy, you can also use the side effect of Splunk's equality on multivalue:

 

| eventstats values(Status) by Host
| where 'values(Status)' != "FIXED"
| fields - "values(Status)"

 

Either way, you get

DateHostStatus
2024-07-22host2NEW
2024-07-23host2ACTIVE
2024-07-24host2ACTIVE
2024-07-25host2ACTIVE
2024-07-26host2ACTIVE
2024-07-27host2ACTIVE
2024-07-28host2ACTIVE
2024-07-29host2ACTIVE

Here is an emulation you can play with and compare with real data

 

| makeresults format=csv data="Date,	Host,	Status
2024-07-22,	host1,	NEW
2024-07-22,	host2,	NEW
2024-07-23,	host1,	ACTIVE
2024-07-23,	host2,	ACTIVE
2024-07-24,	host1,	ACTIVE
2024-07-24,	host2,	ACTIVE
2024-07-25,	host1,	FIXED
2024-07-25,	host2,	ACTIVE
2024-07-26,	host2,	ACTIVE
2024-07-27,	host2,	ACTIVE
2024-07-28,	host2,	ACTIVE
2024-07-29,	host2,	ACTIVE"
``` data emulation above ```

 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎07-30-2024 04:47 PM 
<something> Status!=FIXED
0 Karma
Reply
Solved! Jump to solution

DATT
Path Finder
‎07-30-2024 05:35 PM

This isn't what I'm looking for. This eliminates just the event with a fixed status. I need to remove all of the host1 events because one of them has a status of fixed.

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎07-30-2024 06:06 PM

My apologies for not reading the question carefully.  eventstats is your friend.

 

| eventstats values(Status) by Host
| where NOT "FIXED" IN ('values(Status)')
| fields - "values(Status)"

 

Here, I am breaking out of my usual pattern to use a semantic filter.  For economy, you can also use the side effect of Splunk's equality on multivalue:

 

| eventstats values(Status) by Host
| where 'values(Status)' != "FIXED"
| fields - "values(Status)"

 

Either way, you get

DateHostStatus
2024-07-22host2NEW
2024-07-23host2ACTIVE
2024-07-24host2ACTIVE
2024-07-25host2ACTIVE
2024-07-26host2ACTIVE
2024-07-27host2ACTIVE
2024-07-28host2ACTIVE
2024-07-29host2ACTIVE

Here is an emulation you can play with and compare with real data

 

| makeresults format=csv data="Date,	Host,	Status
2024-07-22,	host1,	NEW
2024-07-22,	host2,	NEW
2024-07-23,	host1,	ACTIVE
2024-07-23,	host2,	ACTIVE
2024-07-24,	host1,	ACTIVE
2024-07-24,	host2,	ACTIVE
2024-07-25,	host1,	FIXED
2024-07-25,	host2,	ACTIVE
2024-07-26,	host2,	ACTIVE
2024-07-27,	host2,	ACTIVE
2024-07-28,	host2,	ACTIVE
2024-07-29,	host2,	ACTIVE"
``` data emulation above ```

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

DATT
Path Finder
‎07-31-2024 02:56 PM

This is great, thank you.  I have struggled with eventstats in the past, and this is the first time I can remember seeing a use case for it that made sense to me.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎07-30-2024 09:53 PM

My three cents

| where NOT a in b

or

| where NOT b=a

(as you can do with  multivalued fields)

is NOT the same as

| where a!=b

The first form filters out all results where value a appears anywhere in the field b - as one of the values in mulitivalued field whereas the second form keeps all results which have at least one value in field b which is different than a.

Also results with empty field b are treated differently.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...