Solved: How to Identify the events based on condition on o...

rangarbus · ‎02-11-2022

Hello Splunk Experts: From a system, we receive following events in splunk.

I would like to get the event which doesn't have logEvent as Received but has only logEvent as Delivered.

traceId field will have same value on both Received and Delivered events.

Here in the below example, traceId=101 is such an event.

{"logEvent":"Received","traceId": "100","message":"Inbound received", "id" : "00991"}
{"logEvent":"Delivered","traceId": "100","message":"Inbound sent", "id" : "00991-0"}
{"logEvent":"Delivered","traceId": "101","message":"Inbound sent", "id" : "00992-0"}
{"logEvent":"Received","traceId": "102","message":"Inbound received","id" : "00993"}
{"logEvent":"Delivered","traceId": "102","message":"Inbound sent","id" : "00993-0"}

ITWhisperer · ‎02-11-2022

Are the fields already extracted?

| eventstats values(logEvent) as logEvents by traceId
| where logEvents="Delivered" AND mvcount(logEvents) = 1

View solution in original post

ITWhisperer · ‎02-11-2022

Are the fields already extracted?

| eventstats values(logEvent) as logEvents by traceId
| where logEvents="Delivered" AND mvcount(logEvents) = 1

How to Identify the events based on condition on other events

eval

field extraction

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!