Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help with search repeated events with diffrent values in specific field

jacob_rod
Explorer
‎12-27-2020 05:15 AM

Hello,

Help will be very appreciated.

My splunk index contains a field with codes, and another field with names.

Every event contains a code and a name.

1. I need to display all the codes that repeat more then once and have different names -  result for example can be code 444 that apear with two names dave and miriam.

2.Farther more, I need to display codes that have events with two specific names.

Thank you,

Jacob

 

Labels (2)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-27-2020 07:44 AM

1. This should show all the codes that have more than one name associated with them.

... | stats values(name) as names by code
| where mvcount(names) > 1

2. Here is one way to find the codes with two specific names

index=something (name="foo" OR name="bar")
| stats values(code) as codes by name
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

jacob_rod
Explorer
‎02-16-2021 11:40 PM

This is my final search -

index=something (name="foo" OR name="bar")
| eval timeValue = strptime(Date, "%Y-%m-%d %H:%M")
| eval earliest = strptime("2021-02-17 08:00", "%Y-%m-%d %H:%M")
| where (timeValue > earliest)
| stats values(name) as names by code
| where mvcount(names) > 1
| table code names

Trying to add field from the events to the table came out empty...

Question is how can I add a field from the events to the table ?

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎12-27-2020 07:44 AM

1. This should show all the codes that have more than one name associated with them.

... | stats values(name) as names by code
| where mvcount(names) > 1

2. Here is one way to find the codes with two specific names

index=something (name="foo" OR name="bar")
| stats values(code) as codes by name
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jacob_rod
Explorer
‎12-28-2020 11:04 PM

Thank you very much, using the two solutions together solved my issue.

How can I add Time filter to the evens ?

 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2020 05:17 AM

What exactly do you mean by "time filter"?  What results do you want?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jacob_rod
Explorer
‎12-29-2020 07:40 AM

Hi,

My time field name is "time_start" - structure is -  2020-12-22T10:40:04.327+04:00

I need to display events from specific time boundaries (starting specific time until end time)

this is together with the code & name filters above.

Thank you again for the help.

Jake

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎12-29-2020 09:00 AM

Your events should already be mapping time_start to _time so filtering them should be a matter of selecting the desired time range from the time picker.

If you don't map time_start to _time then you'll have to filter in your query.

index=something (name="foo" OR name="bar")
| eval startTime=strptime(time_start, "%Y-%m-%dT%H:%M:%S%:z")
| where startTime ```fill in conditions```
| stats values(code) as codes by name
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...