Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search Where one value present and not another

DanielFordWA
Contributor
‎11-18-2013 03:05 AM

Hi, I use the below query to find published documents and the actions taken against them.

sourcetype="iis-2" | extract auto=true | search DocAction NOT DocType="*Research*" NOT [| inputlookup testers_lookup | fields cs_username] NOT cs_username="*HTML*" | fillnull value="-" DocType DocAction publicationId docid  DocAut | stats count by  DocTitle DocType DocAction publicationId docid DocAut | eval DocType=urldecode(DocType) | eval DocTitle=urldecode(DocTitle) | eval publicationId=urldecode(publicationId)

In the field DocAction I have the values =PubInt and =PubExt for when a document is published.

Also in the DocAction field I have the value =View for when a document is viewed.

The question I want to answer is "What documents are published but do not get viewed in a given time period?"

Something like = Return all DocTitle where DocAction ="Pub" and there are no hits against the same DocTitle where DocAction="View"

Can anyone help?

Thanks,

Dan

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-18-2013 10:34 AM

Try following 

sourcetype="iis-2" | extract auto=true | search DocAction NOT DocType="*Research*" NOT [| inputlookup testers_lookup | fields cs_username] NOT cs_username="*HTML*" | fillnull value="-" DocType DocAction publicationId docid  DocAut | stats count by  DocTitle DocType DocAction publicationId docid DocAut | eval DocType=urldecode(DocType) | eval DocTitle=urldecode(DocTitle) | eval publicationId=urldecode(publicationId)

*Add this to your search**

| stats values(DocAction) as DocAction by DocTitle,DocType,publicationId,docid,DocAut
| eval isPubNotViewed=CASE((isnotnull(mvfind(DocAction,"PubInt")) OR isnotnull(mvfind(DocAction,"PubExt"))) AND isnull(mvfind(DocAction,"View")),"Yes",1=1,"No")
| where isPubNotViewed="Yes"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎11-18-2013 10:34 AM

Try following 

sourcetype="iis-2" | extract auto=true | search DocAction NOT DocType="*Research*" NOT [| inputlookup testers_lookup | fields cs_username] NOT cs_username="*HTML*" | fillnull value="-" DocType DocAction publicationId docid  DocAut | stats count by  DocTitle DocType DocAction publicationId docid DocAut | eval DocType=urldecode(DocType) | eval DocTitle=urldecode(DocTitle) | eval publicationId=urldecode(publicationId)

*Add this to your search**

| stats values(DocAction) as DocAction by DocTitle,DocType,publicationId,docid,DocAut
| eval isPubNotViewed=CASE((isnotnull(mvfind(DocAction,"PubInt")) OR isnotnull(mvfind(DocAction,"PubExt"))) AND isnull(mvfind(DocAction,"View")),"Yes",1=1,"No")
| where isPubNotViewed="Yes"
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎11-19-2013 04:41 AM

just add "|stats count(eval(DocAction="View")) as readCount by DocTitle, DocType, publicationId, docid,DocAut | where readCount < 5"

Reply
Solved! Jump to solution

DanielFordWA
Contributor
‎11-19-2013 02:33 AM

Quick follow up question, how would I change the above so that I can see all documents that were only viewed 1-4 times, so the DocAction="View" has less than 5 hits?

0 Karma
Reply
Solved! Jump to solution

DanielFordWA
Contributor
‎11-19-2013 02:08 AM

This works great, I had to remove the PublicationID and docid as this only gets added after a document is published, this seemed to cause the query not to run correctly.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...