Splunk Search

How to subtract specific events, key pairs?

cxfuent29
New Member

Not sure where I should be going but, I am all for raw data going into fields, enhanced etc...
I am looking at our raw data and there is a field called ID=XXXXXX which is the field I am interested in, there is also another occurrence of ID= XXXXX YYYYY in the event which I am not interested in.
Both are showing up in my searches, NAME=MX001 and the second one ID=MX001 YYYYY.
I have tried Eval substr(ID,1,6) to no avail, any help would be appreciated,
P.S. could this have been taken care of during original extraction??

Thanks Ahead

0 Karma

cxfuent29
New Member

Let me try to show examples:

INPUT EVENTS:

1) id=jim,addr=12 main st,phone=825-585-9865

2) id=tom,addr=45 maple,phone=528-777-9685,id=tom second

I am using a simple table:
table id addr phone

Output:
jim 12 main st 825-585-9865
tom 45 maple 528-777-9685
tom second
(the line above is the problem)

0 Karma

cxfuent29
New Member

I guess what I am trying to do is a report using the first occurrence of a field within an event.

Some events have multiple fields some don't.

I looked at stats first(xx), but it returned first occurrence of first event only.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

It should be a matter of adding | search ID!="XXXXX *" to your query. If you share the existing query we can be more specific.

---
If this reply helps you, Karma would be appreciated.
0 Karma

cxfuent29
New Member

Correction: both fields are ID, both are automatically extracted and exist in one event.

Sorry for type

0 Karma

oscar84x
Contributor

Could you clarify a couple of things?
-Both fields are automatically extracted and they both exist in your index?
-One is called NAME and the other one ID?
-You only have use for NAME but not for ID??

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...

Splunk Smartness with Patrick Tatro | Episode 4

Welcome to another episode of "Splunk Smartness," where we explore how Splunk Education can revolutionize your ...