Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I add an additional search condition to my table?

elijahm
Explorer
‎08-19-2019 07:23 AM

index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out"
| rex "^\[(?[^\]]+)\].*\[(?[^\]]+)\]\[(?[a-zA-Z]*)\](?[^\(]+)\(\d*\)(.*makeModel=(?.*),make)*(:StdOUT (?.*))*.*"
| eval _time=strptime(time,"%a %b %d %H:%M:%S")
| fields - _raw time
| stats count as eventCount min(_time) as _time max(_time) as latestTime values(type) as allTypes values(device) as device values(name) as name values(macaddress) as macaddress by ip
| eval duration=(latestTime-_time)
| fields - latestTime
| search allTypes="NodeManager.getNodeByHWaddress" AND allTypes!="ActivateNode.doPost" AND allTypes="RegistrationController.initOsList" AND allTypes="GetPolicy.doPost" | fields - allTypes

The above search query creates a table which has a column with users' macaddresses. There is an additional condition I want to add to the table that I don't know how to do. The condition is to only display the users whose macaddresses appears in the past logs on different days. I'm trying to find the users that use my program multiple times in the past and keeps using it.

If the below search returns events that are on different days, then I want to display this user in the table I created above. Thanks!
index= client_snsr_tcg_unix_webservices source="/var/log/tomcat8/catalina.out" 3c-43-a3-cc-f5-3f

Tags (1)
0 Karma
Reply

ansusabu
Communicator
‎08-19-2019 08:44 AM

You can use 'join' command if you want to retrieve the list of users for the mac addresses which you have obtained. OR you can use 'appendcols' if both queries are not related .

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-19-2019 07:39 AM

Try adding this to the end of your query:

| bucket span=1d _time | stats count values(*) as * by macaddress | where count > 1
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

elijahm
Explorer
‎08-19-2019 08:27 AM

It makes my table return only 1 statistic with the macaddresses column empty and the other columns listing its elements in the one statistic so i can't tell what information is correlated to which user.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-19-2019 10:04 AM

The macaddress field would be empty only if none of the events have a value for that column by the time the stats command runs. What do your results look like before the bucket command?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...