Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Search under same field value

enpingtu
New Member
‎03-02-2021 10:41 PM

We have below log event rows - 

correlationKey=abc msg="create cache for 123"
correlationKey=abc "read cache for 123"
correlationKey=mno "create cache for 456"
correlationKey=mno "read cache for 456"
correlationKey=xyz "read cache for 123"

From the data, we may notice that correlationKey abc/mno have both create/read. But for correlationKey xyz, it does not have "create cache" log, but "read cache" only.

We need to find all correlationKey values w/o log entry "create cache for". (abc/mno do not qualify. Only xyz qualify.)

Appreciate your great help!

- ET

Labels (3)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-02-2021 11:33 PM 
| eval created=if(match(msg,"create cache"),"true",null)
| stats values(created) as created by correlationKey
| where NOT created="true"
0 Karma
Reply

enpingtu
New Member
‎03-02-2021 11:30 PM

Appreciate!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-02-2021 11:21 PM

Hi @enpingtu,

You could try something like this: 

your_search
| eval qualify=case(searchmatch("create cache for"),"Create", searchmatch("read cache for"),"Read"
| stats dc(qualify) AS dc_qualify values(qualify) AS qualify BY correlationKey
| eval status=if(dc_qualify=2,"Qualify","Do not Qualify")
| table correlationKey status

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...