Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to ignore certain events from past and do not include them in the new search

dearimranz
Engager
‎11-19-2013 11:37 AM

I have following data:

January 2013 (sample events)

field1:123abc field2:789xyz field3:567ghj

field1:dkd786 field2:cgu874 field3:1j7ut5

field1:i98udy field2:jfutid field3:4jfu76

February 2013 (sample events)

field1:99yekf field2:mkioie field3:34fvgh

field1:klou43 field2:ccxx45 field3:loaq56

field1:i98udy field2:jfutid field3:4jfu76 (exists in January 2013 / maybe before)

March 2013 (sample events)

field1:poph34 field2:cvt87q field3:45fgty

field1:klou43 field2:ccxx45 field3:loaq56 (exists in February 2013 / maybe before)

field1:nbty67 field2:23sxcr field3:oiu765

I have written some regexs to extract different fields and make reports out of it which works fine. However for some of the reports I have a requirement that if field1's value exists in the previous month(s) events, it should NOT show in the current month's report. The current month report should ONLY show the new fields.

Any ideas how to accomplish this. Many thanks in advance.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎11-19-2013 12:01 PM

Try following. This will first get list of all the months in which a particular combination of field1, field2, field3 occurs. If count of months for a combination is more than 1, it will be excluded. Also, if there are only one month, month value should match with current month, else it will be excluded too.

...... |stats values(date_month) as months by field1, field2, field3 | where mvcount(months)=1 AND isnotnull(mvfind(months,lower(strftime(now(),"%B"))))
0 Karma
Reply

aholzer
Motivator
‎11-19-2013 11:47 AM

Try "... | dedup field1 sortby _time". It'll remove duplicates giving you the earliest occurrence of the value in the field

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...