How do I show only field values that are missing f...

shruthibm · ‎03-02-2023

I have 2 events

Event1: Document uploaded <documentId>

Event2: Document viewed <documentId>

I have generated a common "docId" field for both events. I want to create a table that lists document Ids that have been uploaded but not viewed.

Ex: If I have the following events,

Document uploaded: 34423434
Document uploaded: 56676886
Document viewed: 56676886

I want a table that shows the below output

DocumentIdsNotViewed

34423434

Thanks in advance!

gcusello · ‎03-02-2023

Hi @shruthibm,

you should try something like this:

<your-search> ("Document uploaded" OR "Document viewed"
| eval type=if(searchmatch("Document uploaded"),"Document uploaded","Document viewed")
| stats dc(type) AS type_count values(type) AS type BY documentId
| where type_count=1 AND type="Document uploaded"

Ciao.

Giuseppe

inventsekar · ‎03-02-2023

sure I understand this request, lets give this a try:

... | stats count(docId) as docIdCount | where docIdCount = 1

edit... oops, after few hrs, i understood that the logic is missing its idea. some trial and error on SPL creation is needed.

lets try this:

... | stats count(docId) as docIdCount by docId | where docIdCount = 1

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

How do I show only field values that are missing from one of the 2 splunk searches?

fields

stats

table

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation