Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help with search repeated events with diffrent values in specific field

jacob_rod
Explorer
‎12-27-2020 05:15 AM

Hello,

Help will be very appreciated.

My splunk index contains a field with codes, and another field with names.

Every event contains a code and a name.

1. I need to display all the codes that repeat more then once and have different names -  result for example can be code 444 that apear with two names dave and miriam.

2.Farther more, I need to display codes that have events with two specific names.

Thank you,

Jacob

 

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-27-2020 07:44 AM

1. This should show all the codes that have more than one name associated with them.

... | stats values(name) as names by code
| where mvcount(names) > 1

2. Here is one way to find the codes with two specific names

index=something (name="foo" OR name="bar")
| stats values(code) as codes by name
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jacob_rod
Explorer
‎02-16-2021 11:40 PM

This is my final search -

index=something (name="foo" OR name="bar")
| eval timeValue = strptime(Date, "%Y-%m-%d %H:%M")
| eval earliest = strptime("2021-02-17 08:00", "%Y-%m-%d %H:%M")
| where (timeValue > earliest)
| stats values(name) as names by code
| where mvcount(names) > 1
| table code names

Trying to add field from the events to the table came out empty...

Question is how can I add a field from the events to the table ?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-27-2020 07:44 AM

1. This should show all the codes that have more than one name associated with them.

... | stats values(name) as names by code
| where mvcount(names) > 1

2. Here is one way to find the codes with two specific names

index=something (name="foo" OR name="bar")
| stats values(code) as codes by name
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jacob_rod
Explorer
‎12-28-2020 11:04 PM

Thank you very much, using the two solutions together solved my issue.

How can I add Time filter to the evens ?

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2020 05:17 AM

What exactly do you mean by "time filter"?  What results do you want?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jacob_rod
Explorer
‎12-29-2020 07:40 AM

Hi,

My time field name is "time_start" - structure is -  2020-12-22T10:40:04.327+04:00

I need to display events from specific time boundaries (starting specific time until end time)

this is together with the code & name filters above.

Thank you again for the help.

Jake

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2020 09:00 AM

Your events should already be mapping time_start to _time so filtering them should be a matter of selecting the desired time range from the time picker.

If you don't map time_start to _time then you'll have to filter in your query.

index=something (name="foo" OR name="bar")
| eval startTime=strptime(time_start, "%Y-%m-%dT%H:%M:%S%:z")
| where startTime ```fill in conditions```
| stats values(code) as codes by name
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...