How to achieve results only if another event is NO...

aikn061 · ‎07-28-2022

Hi All,

I already have a search that gives me a result. But what I desire to have is we want the results only if another event is NOT true for the user.

So for example below gives me result:

EventID=4625 earliest=-4h@h latest=-3h@h | table User IPAddress EventID Message

Desire is to only show results if there was no 4724 for a specific period. Would I do it something like this?

EventID=4625 earliest=-4h@h latest=-3h@h | table User IPAddress EventID Message earliest=-4h@h latest=-3h@h

| append [search NOT EventID=4724 earliest=-7d@d latest=now ]

richgalloway · ‎07-28-2022

Just throwing this out as an untested idea.

(EventID=2624 OR EventID=4625) earliest=-4h@h latest=-3h@h 
```Count the number of 4624 events for each user```
| eventstats sum(eval(EventID=4624)) as unwanted by user
```Keep the users who have no 4624 events```
| where unwanted = 0
```We're only interested in event 4625```
| where EventID=4625
| table User IPAddress EventID Message

---
If this reply helps you, Karma would be appreciated.

How to achieve results only if another event is NOT true for the user?

chart

count

join

stats

table

tstats

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms