Splunk Search

How do I filter the results of my stats search with a where condition?

TobiasBoone
Communicator

The pipeline logic of this discrete math is kicking me hard today. I need to be able to find a list of laptops that are checking into inventory over the past 30 days from off-premise, but have not checked in from on-premise.

I have a working search that gathers my entire inventory and looks up the client's address and returns subnet_descriptions. From that search I get ~100 results; anything unknown comes back as NONE where NONE means that it was off-premise. With this it is very easy to | where subnet_description = "NONE" but these results include machines that also checked in from on-premise in the same 30 days.

I can | stats count by machinename and then | where count = 1 which would get me close, but it wouldn't tell me if that 1 location was also "NONE" and because stats truncates off the subnet_description, I cannot do a subsequent | where ...

I can | stats count by machinename subnet_description but the count is then based upon the two criteria together and one machine gets multiple lines and again I can only filter on one.

I need some ideas on how to get just the overlap in these searches and essentially do a | stats count(machinename) | where count machinename = 1 and subnet_description="NONE"

Any brain checks would be greatly appreciated.

Tags (4)
0 Karma

woodcock
Esteemed Legend

You need eventstats. Try using | eventstats count AS CountByMachineName by machinename first. See what this does and go from there.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...