Splunk Search

Search events by field value from search result

jacob_rod
Explorer

Hello friends,

Please try to assist me.

My data structure is -

Date , field1 , field2 , field3

I need to search events that contain a specific value in field2 ,  based on the results display all the events that contain a common value of field1.

Example -

17/2 AAA BBB gfg
17/2 XXX VVV hjh
17/2 AAA MMM klk
Searching BBB will display this lines (that have AAA in common) -
17/2 AAA BBB gfg
17/2 AAA MMM klk

Help will be appreciated,

Thank you.

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
Ultra Champion

Try this

| eval field4=if(field2="BBB",field2,null)
| eventstats values(field4) as field4 by field1
| where field4="BBB"

View solution in original post

ITWhisperer
Ultra Champion

Try this

| eval field4=if(field2="BBB",field2,null)
| eventstats values(field4) as field4 by field1
| where field4="BBB"

View solution in original post

jacob_rod
Explorer

Thank you very much !

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!