Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help with search repeated events with diffrent values in specific field

jacob_rod
Explorer
‎12-27-2020 05:15 AM

Hello,

Help will be very appreciated.

My splunk index contains a field with codes, and another field with names.

Every event contains a code and a name.

1. I need to display all the codes that repeat more then once and have different names -  result for example can be code 444 that apear with two names dave and miriam.

2.Farther more, I need to display codes that have events with two specific names.

Thank you,

Jacob

 

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-27-2020 07:44 AM

1. This should show all the codes that have more than one name associated with them.

... | stats values(name) as names by code
| where mvcount(names) > 1

2. Here is one way to find the codes with two specific names

index=something (name="foo" OR name="bar")
| stats values(code) as codes by name
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jacob_rod
Explorer
‎02-16-2021 11:40 PM

This is my final search -

index=something (name="foo" OR name="bar")
| eval timeValue = strptime(Date, "%Y-%m-%d %H:%M")
| eval earliest = strptime("2021-02-17 08:00", "%Y-%m-%d %H:%M")
| where (timeValue > earliest)
| stats values(name) as names by code
| where mvcount(names) > 1
| table code names

Trying to add field from the events to the table came out empty...

Question is how can I add a field from the events to the table ?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-27-2020 07:44 AM

1. This should show all the codes that have more than one name associated with them.

... | stats values(name) as names by code
| where mvcount(names) > 1

2. Here is one way to find the codes with two specific names

index=something (name="foo" OR name="bar")
| stats values(code) as codes by name
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jacob_rod
Explorer
‎12-28-2020 11:04 PM

Thank you very much, using the two solutions together solved my issue.

How can I add Time filter to the evens ?

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2020 05:17 AM

What exactly do you mean by "time filter"?  What results do you want?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jacob_rod
Explorer
‎12-29-2020 07:40 AM

Hi,

My time field name is "time_start" - structure is -  2020-12-22T10:40:04.327+04:00

I need to display events from specific time boundaries (starting specific time until end time)

this is together with the code & name filters above.

Thank you again for the help.

Jake

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2020 09:00 AM

Your events should already be mapping time_start to _time so filtering them should be a matter of selecting the desired time range from the time picker.

If you don't map time_start to _time then you'll have to filter in your query.

index=something (name="foo" OR name="bar")
| eval startTime=strptime(time_start, "%Y-%m-%dT%H:%M:%S%:z")
| where startTime ```fill in conditions```
| stats values(code) as codes by name
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...
Top