Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare 2 different rows using count?

villnooB
Explorer
‎12-27-2022 05:11 PM

Hi guys,

Can you please help me , I am trying to create a query in which it shows if a user is in  a different location in the sameday it will only prioritize one of it. please see below

| convert timeformat="%F %H:%M" ctime(zone) as ctime
| stats count by user fullname country ctime location
| rename fullname as "Name", ctime as DateStamp, location as "Location", user as "NetworkID", country as "Country"
| fields - count
| sort 0 NetworkID

This is what i am getting if I'm using the query above

NetworkID Name Country DateStamp Location
userA A Sample Spain 12-26-2022 Office
userA A Sample Spain 12-27-2022 Office
userA A Sample Spain 12-27-2022 Home

 

and this is what I am trying to get that If it's in the same day it will only Select the office

NetworkID Name Country DateStamp Location
userA A Sample Spain 12-26-2022 Office
userA A Sample Spain 12-27-2022 Office

Thank you in advance

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-27-2022 11:55 PM 
| convert timeformat="%F %H:%M" ctime(zone) as ctime
| stats count values(location) as location by user fullname country ctime
| rename fullname as "Name", ctime as DateStamp, location as "Location", user as "NetworkID", country as "Country"
| fields - count
| eval Location=if(isnotnull(mvfind(Location, "Office")), "Office", "Home")
| sort 0 NetworkID

View solution in original post

Reply
Solved! Jump to solution

villnooB
Explorer
‎12-28-2022 04:11 AM

@ITWhisperer , @Manasa_401 , @SanjayReddy 

Thank you very much for the help

Reply
Solved! Jump to solution

Manasa_401
Communicator
‎12-28-2022 12:05 AM

Hello @villnooB 

After rename, add the below logic


| eventstats count as multiple by DateStamp Name
| eval valid=if(multiple>1 AND Location="Home","NO","YES")
| search valid="YES"
|fields - count multiple valid

If this helps, karma would be appreciated.

Thanks,

Manasa

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎12-27-2022 11:55 PM 
| convert timeformat="%F %H:%M" ctime(zone) as ctime
| stats count values(location) as location by user fullname country ctime
| rename fullname as "Name", ctime as DateStamp, location as "Location", user as "NetworkID", country as "Country"
| fields - count
| eval Location=if(isnotnull(mvfind(Location, "Office")), "Office", "Home")
| sort 0 NetworkID
Reply
Solved! Jump to solution

villnooB
Explorer
‎12-28-2022 04:10 AM

@ITWhisperer 

Thank you very much

0 Karma
Reply
Solved! Jump to solution

SanjayReddy
SplunkTrust
SplunkTrust
‎12-27-2022 09:06 PM

Hi @villnooB 

can you try following qurey, highlight lines are are newly added 

| convert timeformat="%F %H:%M" ctime(zone) as ctime
| stats count by user fullname country ctime location
| eval Filter=if(location="Office","Yes","NO")
| search Filter="Yes"
| rename fullname as "Name", ctime as DateStamp, location as "Location", user as "NetworkID", country as "Country"
| fields - count
| sort 0 NetworkID

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...