Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Stumped. Selective removal of events while keeping others. Ideally avoiding mvexpand.

loc_spl
New Member
‎04-20-2020 09:14 AM

Hi folks, I'm having a hard time with this one. Maybe I need more coffee. Say I have several events like this:

EventA IP=192.168.0.22 DeviceName=192.168.0.22
EventB IP=192.168.0.22 DeviceName=Workstation1
EventC IP=192.168.0.33 DeviceName=192.168.0.33
EventD IP=192.168.0.33 DeviceName=Workstation2
EventE IP=192.168.0.44 DeviceName=192.168.0.44
EventF IP=192.168.0.44 DeviceName=Workstation3
EventG IP=192.168.0.44 DeviceName=Workstation4
EventH IP=192.168.0.44 DeviceName=Workstation5
EventI IP=192.168.0.55 DeviceName=192.168.0.55
EventJ IP=192.168.0.66 DeviceName=192.168.0.66

The goal in this sample would be to remove Events A, C, and E, since I have hostnames for those, but I can't simply dedup on IP because I need to keep F, G, H as they're actually different machines who happened to get the same IP address at some point over the time range of the search. Essentially, drop events where match(IP, Devicename) if there's more than one event which has that IP, and I'm stumped on getting that to work.

I've done this and it actually does the trick: eventstats values(DeviceName) as DevicePerIP by IP | eval DevicesPerIP=if(mvcount(DevicesPerIP)>1, mvfilter(NOT match(DevicesPerIP, "\.")), DevicesPerIP) | mvexpand DevicesPerIP | dedup IP DevicesPerIP sortby - _time | eval DeviceName=DevicesPerIP, but the mvexpand exceeds my memory limit and I'd rather not push a limits.conf change out to the cluster if there's another way to accomplish this.

Anyway, I think more coffee is in order. Any other ideas?

0 Karma
Reply

loc_spl
New Member
‎04-20-2020 09:55 AM

Well, perhaps more coffee was in order. Something as simple as | eventstats count as IP_OCCURS by IP | where IP_OCCURS=1 OR (IP_OCCURS>1 and NOT match(IP, DeviceName)) seems to be working. The data set is huge, so I'll have to test it thoroughly.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...