How to subtract specific events, key pairs?

cxfuent29 · ‎07-09-2019

Not sure where I should be going but, I am all for raw data going into fields, enhanced etc...
I am looking at our raw data and there is a field called ID=XXXXXX which is the field I am interested in, there is also another occurrence of ID= XXXXX YYYYY in the event which I am not interested in.
Both are showing up in my searches, NAME=MX001 and the second one ID=MX001 YYYYY.
I have tried Eval substr(ID,1,6) to no avail, any help would be appreciated,
P.S. could this have been taken care of during original extraction??

Thanks Ahead

cxfuent29 · ‎07-09-2019

Let me try to show examples:

INPUT EVENTS:

1) id=jim,addr=12 main st,phone=825-585-9865

2) id=tom,addr=45 maple,phone=528-777-9685,id=tom second

I am using a simple table:
table id addr phone

Output:
jim 12 main st 825-585-9865
tom 45 maple 528-777-9685
tom second
(the line above is the problem)

cxfuent29 · ‎07-10-2019

I guess what I am trying to do is a report using the first occurrence of a field within an event.

Some events have multiple fields some don't.

I looked at stats first(xx), but it returned first occurrence of first event only.

richgalloway · ‎07-09-2019

It should be a matter of adding | search ID!="XXXXX *" to your query. If you share the existing query we can be more specific.

---
If this reply helps you, Karma would be appreciated.

cxfuent29 · ‎07-09-2019

Correction: both fields are ID, both are automatically extracted and exist in one event.

Sorry for type

oscar84x · ‎07-09-2019

Could you clarify a couple of things?
-Both fields are automatically extracted and they both exist in your index?
-One is called NAME and the other one ID?
-You only have use for NAME but not for ID??

How to subtract specific events, key pairs?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!