Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to return all rows for each value of field_b where field_a = a, b, and c?

xcheng123
Engager
‎06-14-2016 10:52 PM

I am new to Splunk with questions below. Can anyone can help interpret the following request into a Splunk search statement?

Dataset is like below:
field_a field_b field_c
string_a b1 c1
string_b b1 c2
string_c b1 c3
string_c b2 c3
string_d b2 c4
string_d b1 c5

I am going to create a splunk search like following SQL

select*
from table
where field_a in ("string_a","string_b","string_c")
and field_b in (
select field_b from table
where field_a in ("stirng_a","string_b","string_c")
group by field_b
having count(distinct field_a) = 3)

The expectation is to return all the rows for a field_b with all where all string_a, string_b, and string_c occurred in field_a, such as:
field_a field_b field_c
string_a b1 c1
string_b b1 c2
string_c b1 c3

Thank you all in advance.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xcheng123
Engager
‎06-15-2016 10:39 AM

I figured this out with the following Splunk search:

index=*  (field_a=string_a OR field_a=string_b OR field_a=string_c) [search index=* (field_a=string_a OR field_a=string_b OR field_a=string_c) | eval category = case(match(field_a,"string_a"),"a",match(field_a,"string_b"),"b",match(field_a,"string_c"),"c") | stats dc(category) as dcCat by field_b | where dcCat = 3 | TABLE field_b] | eval category = case(match(field_a,"string_a"),"a",match(field_a,"string_b"),"b",match(field_a,"string_c"),"c") | Table field_a, field_b, field_c

If it is incorrect or if anyone has any other solutions, please feel free to post.
Thanks.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

xcheng123
Engager
‎06-15-2016 10:39 AM

I figured this out with the following Splunk search:

index=*  (field_a=string_a OR field_a=string_b OR field_a=string_c) [search index=* (field_a=string_a OR field_a=string_b OR field_a=string_c) | eval category = case(match(field_a,"string_a"),"a",match(field_a,"string_b"),"b",match(field_a,"string_c"),"c") | stats dc(category) as dcCat by field_b | where dcCat = 3 | TABLE field_b] | eval category = case(match(field_a,"string_a"),"a",match(field_a,"string_b"),"b",match(field_a,"string_c"),"c") | Table field_a, field_b, field_c

If it is incorrect or if anyone has any other solutions, please feel free to post.
Thanks.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-15-2016 02:56 PM

I don't understand the reason for the subsearch, but if it works then accept the answer. I advise against using index=* for performance reasons. Use specific index names.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-15-2016 06:32 AM

This should get you started.

index = foo (field_a="string_a" OR field_a="string_b" OR field_a="string_c") | head 3 field_a | sort field_b
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...
Top