Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Match events in search by fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I have a serach that gives me back two types of events. event A with field r_code and some other fields while event B with a field s_code. I want to list only Events A that can be matched by field r_code with Events B s_code field (meaning that if there is no event B that has s_code matching some Event A r_code then Event A should not be listed.
| from datamodel ABC.Perf |where isnotnull(s_code) OR isnotnull(r_code) |where ???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could try something like this:
....|eval joiner="x"| selfjoin joiner |where r_code=s_code|fields - joiner
https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchReference/Selfjoin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you could try something like this:
....|eval joiner="x"| selfjoin joiner |where r_code=s_code|fields - joiner
https://docs.splunk.com/Documentation/SplunkCloud/7.0.0/SearchReference/Selfjoin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this run anywhere search
| makeresults | eval event_A="1 2 3 4 5 6 7 8 9 10" | makemv event_A | mvexpand event_A | appendcols [| makeresults | eval event_B="8 2 5 9 11 64 66 7755 33 10" | makemv event_B | mvexpand event_B] | where event_A=event_B
If this does not work then provide r_code and s_code sample input data and provide what output you want.
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, so the data is structured more like
_time | r_code | s_code | info
xxxxx | 12 | null | asd1
xxxxx | null | 12 | null
xxxxx | 13 | null | asd2
xxxxx | 14 | null | asd3
xxxxx | null | 14 | null
So i want to remove event with r_code=13 since there is no event with s_code=13
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
