Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

filtering search to exclude all instances of field 1 for when certain results in field 2

shouldntdothat
Explorer
‎07-25-2018 10:18 AM

I have a search that brakes down some router alarms . my fields are Host_IP & Alarm
What I'm trying to do is filter for hosts that only take a specific alarm and do not have certain alarms.
these are state changes . these alarms are SessionUp SessionDown SessionProtChange
Im looking to isolate Hosts that only exhibit SessionUp alarm without having the usual SessionDown and SessionProtChange

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-25-2018 10:41 AM

What's your current search? Try something like this

your current search with field Host_IP and Alarm
| stats values(Alarm) as Alarms by Host_IP
| where mvcount(Alarms)=1 AND Alarms="SessionUp"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎07-25-2018 10:41 AM

What's your current search? Try something like this

your current search with field Host_IP and Alarm
| stats values(Alarm) as Alarms by Host_IP
| where mvcount(Alarms)=1 AND Alarms="SessionUp"
0 Karma
Reply
Solved! Jump to solution

shouldntdothat
Explorer
‎07-25-2018 12:23 PM

Thank You, that helped

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-25-2018 06:31 PM

@shouldntdothat - We've converted @somesoni2's comment to an answer. Please accept the answer so the question will show as closed.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...