Splunk Search

Match events in search by fields

Ponczi1
Explorer

Hello
I have a serach that gives me back two types of events. event A with field r_code and some other fields while event B with a field s_code. I want to list only Events A that can be matched by field r_code with Events B s_code field (meaning that if there is no event B that has s_code matching some Event A r_code then Event A should not be listed.

| from datamodel ABC.Perf |where isnotnull(s_code) OR isnotnull(r_code) |where ???
Tags (1)
0 Karma
1 Solution

cmerriman
Super Champion

you could try something like this:

....|eval joiner="x"| selfjoin joiner |where r_code=s_code|fields - joiner

https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchReference/Selfjoin

View solution in original post

cmerriman
Super Champion

you could try something like this:

....|eval joiner="x"| selfjoin joiner |where r_code=s_code|fields - joiner

https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchReference/Selfjoin

mayurr98
Super Champion

try this run anywhere search

| makeresults | eval event_A="1 2 3 4 5 6 7 8 9 10" | makemv event_A | mvexpand event_A | appendcols [| makeresults | eval event_B="8 2 5 9 11 64 66 7755 33 10" | makemv event_B | mvexpand event_B] | where event_A=event_B

If this does not work then provide r_code and s_code sample input data and provide what output you want.

let me know if this helps!

0 Karma

Ponczi1
Explorer

Ok, so the data is structured more like

_time | r_code    | s_code     | info
xxxxx | 12        |  null      | asd1
xxxxx | null      |  12        | null
xxxxx | 13        |  null      | asd2
xxxxx | 14        |  null      | asd3
xxxxx | null      |  14        | null

So i want to remove event with r_code=13 since there is no event with s_code=13

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...