Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field with exclusively one value

monika0511
Explorer
‎10-15-2020 09:24 AM

here is how my base search output looks:

nameversionbrowserrunTime
call1alphachrome75
call1betachrome48
call2alphafirefox30
call2betachrome78
call3betafirefox56

I'm looking for a distinct list of "name, browser" that exclusively belongs to "beta" version. Getting count and median values is a bonus.

Here is the desired output:

nameversionbrowsercount(runTime)median(runTime)
call2betachrome130
call3betafirefox156


This is what I have so far: But this only gives me a diff. It can return alpha calls if those are not present in beta version. I'm looking for ONLY beta calls. 

 

baseSearch | stats dc(version) as found_in_versions BY name, platform | where found_in_versions < 2

 

 Any help would be appreciated!

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

monika0511
Explorer
‎10-15-2020 01:30 PM

Here is how I was able to do it:

baseSearch | eval found_in_base_search=1 | append [ subSearch | eval found_in_sub_search=1 ] | eventstats values(found_in_base_search) AS found_in_base_search BY name | where isnull(found_in_base_search) AND isnotnull(found_in_sub_search) | stats count(runTime), median(runTime) by name, version

View solution in original post

Reply
Solved! Jump to solution
Solution

monika0511
Explorer
‎10-15-2020 01:30 PM

Here is how I was able to do it:

baseSearch | eval found_in_base_search=1 | append [ subSearch | eval found_in_sub_search=1 ] | eventstats values(found_in_base_search) AS found_in_base_search BY name | where isnull(found_in_base_search) AND isnotnull(found_in_sub_search) | stats count(runTime), median(runTime) by name, version
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-15-2020 11:05 AM

Filter the desired events in the base search or a where clause.

baseSearch version=beta 
| stats dc(version) as found_in_versions BY name, platform 
| where found_in_versions < 2

 

baseSearch 
| where version=beta
| stats dc(version) as found_in_versions BY name, platform 
| where found_in_versions < 2

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...