Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need SPL query

SabariRajanT
Path Finder
‎07-01-2021 08:42 AM

Hi All,

I have a unique values like below in my splunk dashboard,

 Email account:            Anaoymzer

sab@gmail.com                 No

tr@gmail.com                 Yes

rt@mail.com                        No

sab@gmail.com             Yes

sab@gmail.com            Yes

sab@gmail.com          Yes

All the above email account display with mail address list with IP address and ananoymzer as yes and No.

we need to pull unique email account column as displayed above and Ananoymzer = yes in past 24 hours.

Required SPL Query for this.

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-01-2021 08:59 AM

Hi @SabariRajanT,

if I correctly understood, you want only one value for each email and the anomynizer value is yes when there are both yes and not, is it correct?

if this is your need ,please ,try something like this:

your_search
| stats dc(anonymizer) AS dc_anonymizer values(anonymizer) AS anonymizer BY email
| eval anonymizer=if(dc_anonymizer=2,"yes",anonymizer)
| table mail anonymizer

Ciao.

Giuseppe

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-01-2021 08:58 AM

@SabariRajanT 

Can you please try this?

YOUR_SEARCH
| where Anaoymzer="Yes"
| dedup Email_account

 

My Sample Search :

| makeresults | eval _raw="Email account,Anaoymzer
sab@gmail.com ,No
tr@gmail.com,Yes
rt@mail.com,No
sab@gmail.com,Yes
sab@gmail.com,Yes
sab@gmail.com,Yes"| multikv forceheader=1
| table Email_account,Anaoymzer
| rename comment as "Upto Now is sample data only" 
| where Anaoymzer="Yes"
| dedup Email_account


 Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
Top