Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need SPL query

SabariRajanT
Path Finder
‎07-01-2021 08:42 AM

Hi All,

I have a unique values like below in my splunk dashboard,

 Email account:            Anaoymzer

sab@gmail.com                 No

tr@gmail.com                 Yes

rt@mail.com                        No

sab@gmail.com             Yes

sab@gmail.com            Yes

sab@gmail.com          Yes

All the above email account display with mail address list with IP address and ananoymzer as yes and No.

we need to pull unique email account column as displayed above and Ananoymzer = yes in past 24 hours.

Required SPL Query for this.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-01-2021 08:59 AM

Hi @SabariRajanT,

if I correctly understood, you want only one value for each email and the anomynizer value is yes when there are both yes and not, is it correct?

if this is your need ,please ,try something like this:

your_search
| stats dc(anonymizer) AS dc_anonymizer values(anonymizer) AS anonymizer BY email
| eval anonymizer=if(dc_anonymizer=2,"yes",anonymizer)
| table mail anonymizer

Ciao.

Giuseppe

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-01-2021 08:58 AM

@SabariRajanT 

Can you please try this?

YOUR_SEARCH
| where Anaoymzer="Yes"
| dedup Email_account

 

My Sample Search :

| makeresults | eval _raw="Email account,Anaoymzer
sab@gmail.com ,No
tr@gmail.com,Yes
rt@mail.com,No
sab@gmail.com,Yes
sab@gmail.com,Yes
sab@gmail.com,Yes"| multikv forceheader=1
| table Email_account,Anaoymzer
| rename comment as "Upto Now is sample data only" 
| where Anaoymzer="Yes"
| dedup Email_account


 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top