Hi folks, I'm having a hard time with this one. Maybe I need more coffee. Say I have several events like this:

EventA IP=192.168.0.22 DeviceName=192.168.0.22
EventB IP=192.168.0.22 DeviceName=Workstation1
EventC IP=192.168.0.33 DeviceName=192.168.0.33
EventD IP=192.168.0.33 DeviceName=Workstation2
EventE IP=192.168.0.44 DeviceName=192.168.0.44
EventF IP=192.168.0.44 DeviceName=Workstation3
EventG IP=192.168.0.44 DeviceName=Workstation4
EventH IP=192.168.0.44 DeviceName=Workstation5
EventI IP=192.168.0.55 DeviceName=192.168.0.55
EventJ IP=192.168.0.66 DeviceName=192.168.0.66

The goal in this sample would be to remove Events A, C, and E, since I have hostnames for those, but I can't simply dedup on IP because I need to keep F, G, H as they're actually different machines who happened to get the same IP address at some point over the time range of the search. Essentially, drop events where match(IP, Devicename) if there's more than one event which has that IP, and I'm stumped on getting that to work.

I've done this and it actually does the trick: eventstats values(DeviceName) as DevicePerIP by IP | eval DevicesPerIP=if(mvcount(DevicesPerIP)>1, mvfilter(NOT match(DevicesPerIP, "\.")), DevicesPerIP) | mvexpand DevicesPerIP | dedup IP DevicesPerIP sortby - _time | eval DeviceName=DevicesPerIP, but the mvexpand exceeds my memory limit and I'd rather not push a limits.conf change out to the cluster if there's another way to accomplish this.

Anyway, I think more coffee is in order. Any other ideas?