Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Need help with search based on values that are...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need help with search based on values that are duplicated but have different status levels.
jiaqya
Builder
09-02-2020
11:31 AM
In my data, there are duplicate rows for a server, but their status is "active" or "deleted".
Based on the field value I would like "Active" records to be returned at all times when both "active" and "deleted" are present.
If "active " is not present, then I want the "deleted" record to be shown.
Sample data result below. Please let me know how this can be done.
| makeresults
| eval server="one",column1="1",column2="2",column3="3",_time="09-02-2020",status="active"
| append [| makeresults | eval server="one",column1="1",column2="2",column3="3",_time="09-01-2020",status="deleted"]
| append [| makeresults | eval server="one",column1="1", column2="2",column3="3",_time="08-31-2020",status="deleted"]
| append [| makeresults | eval server="two",column1="3",column2= "2",column3="1",_time="09-02-2020",status="active"]
| append [| makeresults | eval server="three",column1="4", column2="5",column3="6",_time="09-01-2020",status="deleted"]
| table server,status,column1,column2,column3,_timeOutput of the above makeresult is below:
| server | status | column1 | column2 | column3 | _time |
| one | active | 1 | 2 | 3 | 9/2/2020 |
| one | deleted | 1 | 2 | 3 | 9/1/2020 |
| one | deleted | 1 | 2 | 3 | 8/31/2020 |
| two | active | 3 | 2 | 1 | 9/2/2020 |
| three | deleted | 4 | 5 | 6 | 9/1/2020 |
In this output, I would like to see the "active" record for server "one", active record for server "two", and "deleted" record for server "three".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
koshyk
Super Champion
09-02-2020
01:45 PM
Please try below..
| makeresults
| eval server="one",column1="1",column2="2",column3="3",_time="09-02-2020",status="active"
| append [| makeresults | eval server="one",column1="1",column2="2",column3="3",_time="09-01-2020",status="deleted"]
| append [| makeresults | eval server="one",column1="1", column2="2",column3="3",_time="08-31-2020",status="deleted"]
| append [| makeresults | eval server="two",column1="3",column2= "2",column3="1",_time="09-02-2020",status="active"]
| append [| makeresults | eval server="three",column1="4", column2="5",column3="6",_time="09-01-2020",status="deleted"]
| table server,status,column1,column2,column3,_time
| eval priority=case(status=="active",2,status=="deleted",1)
| eventstats max(priority) as max_priority by server
| where max_priority=priority
| fields - priority,max_priority
Get Updates on the Splunk Community!
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
🚀 Your data just got a serious AI upgrade — are you ready?
Say hello to the Agentic Era with the ...
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
