Splunk Search

field with exclusively one value

monika0511
Explorer

here is how my base search output looks:

nameversionbrowserrunTime
call1alphachrome75
call1betachrome48
call2alphafirefox30
call2betachrome78
call3betafirefox56

I'm looking for a distinct list of "name, browser" that exclusively belongs to "beta" version. Getting count and median values is a bonus.

Here is the desired output:

nameversionbrowsercount(runTime)median(runTime)
call2betachrome130
call3betafirefox156


This is what I have so far: But this only gives me a diff. It can return alpha calls if those are not present in beta version. I'm looking for ONLY beta calls. 

 

baseSearch | stats dc(version) as found_in_versions BY name, platform | where found_in_versions < 2

 

 Any help would be appreciated!

Labels (2)
1 Solution

monika0511
Explorer

Here is how I was able to do it:

baseSearch | eval found_in_base_search=1 | append [ subSearch | eval found_in_sub_search=1 ] | eventstats values(found_in_base_search) AS found_in_base_search BY name | where isnull(found_in_base_search) AND isnotnull(found_in_sub_search) | stats count(runTime), median(runTime) by name, version

View solution in original post

monika0511
Explorer

Here is how I was able to do it:

baseSearch | eval found_in_base_search=1 | append [ subSearch | eval found_in_sub_search=1 ] | eventstats values(found_in_base_search) AS found_in_base_search BY name | where isnull(found_in_base_search) AND isnotnull(found_in_sub_search) | stats count(runTime), median(runTime) by name, version

richgalloway
SplunkTrust
SplunkTrust

Filter the desired events in the base search or a where clause.

baseSearch version=beta 
| stats dc(version) as found_in_versions BY name, platform 
| where found_in_versions < 2

 

baseSearch 
| where version=beta
| stats dc(version) as found_in_versions BY name, platform 
| where found_in_versions < 2

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...