Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to search all fieldA values where fieldB is a certain value?

pm771
Communicator
‎10-10-2016 01:23 PM

We have a single source with data (in table form) looking something like this:

Name Position Department 
John   Whatever    5
Jack   Boss        5
Jane   Particular  5

Multiple departments. Each department has one Boss.

How to write a search to find out Names of bosses of everybody with a position of Particular?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-10-2016 01:38 PM

Try this

base search | table Name Position Department | eventstats values(eval(if(Position="Boss", Name, null()))) as Boss by Deptartment | where Position="Particular"

*OR*

base search | table Name Position Department | eventstats values(eval(if(Position="Boss", Name, null()))) as Boss by Deptartment | eval Boss=if(Position="Particular", Boss, null())

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-11-2016 11:24 AM

Like this:

... | eval BOSS=if((Position="Boss"), Name, null())
| stats values(BOSS) AS BOSS values(Position) AS Position BY Department
| search Position="Particular" | table BOSS
0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎10-10-2016 01:38 PM

Try this

base search | table Name Position Department | eventstats values(eval(if(Position="Boss", Name, null()))) as Boss by Deptartment | where Position="Particular"

*OR*

base search | table Name Position Department | eventstats values(eval(if(Position="Boss", Name, null()))) as Boss by Deptartment | eval Boss=if(Position="Particular", Boss, null())
Reply
Solved! Jump to solution

pm771
Communicator
‎10-10-2016 01:55 PM

I'm confused. Each department has its own Boss. How do you relate Particulars to their Bosses?

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎10-10-2016 03:11 PM

I'll breakdown the second query....

| eventstats values(eval(if(Position="Boss", Name, null()))) as Boss by Deptartment | eval

eventstats command adds summary statistics to all search result. So what this query segment does, is it gets the Name if Position="Boss" and assigns it to a field called "Boss" for everyone in the (by) Department. You can check this by removing the last segment. You should see the Department's Boss' name for each person in the Department. Is that not what you see?

Boss=if(Position="Particular", Boss, null())

Just nulls out all Boss fields that do not have a corresponding "Position="Particular"

https://docs.splunk.com/Documentation/Splunk/6.5.0/SearchReference/Eventstats

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...