How do I show only field values that are missing f...

shruthibm · ‎03-02-2023

I have 2 events

Event1: Document uploaded <documentId>

Event2: Document viewed <documentId>

I have generated a common "docId" field for both events. I want to create a table that lists document Ids that have been uploaded but not viewed.

Ex: If I have the following events,

Document uploaded: 34423434
Document uploaded: 56676886
Document viewed: 56676886

I want a table that shows the below output

DocumentIdsNotViewed

34423434

Thanks in advance!

gcusello · ‎03-02-2023

Hi @shruthibm,

you should try something like this:

<your-search> ("Document uploaded" OR "Document viewed"
| eval type=if(searchmatch("Document uploaded"),"Document uploaded","Document viewed")
| stats dc(type) AS type_count values(type) AS type BY documentId
| where type_count=1 AND type="Document uploaded"

Ciao.

Giuseppe

inventsekar · ‎03-02-2023

sure I understand this request, lets give this a try:

... | stats count(docId) as docIdCount | where docIdCount = 1

edit... oops, after few hrs, i understood that the logic is missing its idea. some trial and error on SPL creation is needed.

lets try this:

... | stats count(docId) as docIdCount by docId | where docIdCount = 1

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

How do I show only field values that are missing from one of the 2 splunk searches?

fields

stats

table

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Wrapping Up Cybersecurity Awareness Month

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Are you a member of the Splunk Community?