I'm going to go mad trying to get splunk to return only field values that are a given value and don't start or contain the value I give. Here's my example:
index=myindex host=a_server | where match(eventtype, "^dataflow(^-|$)")
index=myindex host=a_server | where match(eventtype, "^dataflow$")
index=myindex host=a_server | where eventtype="dataflow")
index=myindex host=a_server eventtype=dataflow
index=myindex host=a_server eventtype=TERM(dataflow)
All five searches return items like:
dataflow-end
dataflow-start
dataflow-cache
...
etc.
I ONLY want events with eventtype of dataflow. Any guidance on how to have a less greedy search would be great!
This search will do it:
index=myindex host=a_server eventtype=dataflow
Now, the caveat is that that particular field is a multi-valued
filed so it can have more than a single value and it will return searches that also have other eventtype values. If this is a problem, then you need to add this to the end, too:
| eventstats dc(eventtype) AS DCeventtype
| search DCeventtype=1
This search will do it:
index=myindex host=a_server eventtype=dataflow
Now, the caveat is that that particular field is a multi-valued
filed so it can have more than a single value and it will return searches that also have other eventtype values. If this is a problem, then you need to add this to the end, too:
| eventstats dc(eventtype) AS DCeventtype
| search DCeventtype=1
So, I like your idea. My challenge is that the distinct count of eventtype in the eventstats line returns the count for all events not each event. I'm sure this could be fixed with the appropriate by statement... but I don't know how to make a by statement that is unique to each event.
It looks like using:
| eval dc_etype=mvcount(eventtype)
accomplished what the eventstats command was intended to do.
Thank you!
Yes, your way is definitely the right way and mine will not work at all and I should have realized that. Great job!
That's what I get for posting untested answers from my phone!