×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
rj1
Engager
Member since: ‎08-31-2021
‎09-01-2021
Community Statistics
Posts 2
Solutions 1
Karma Given 1
Karma Received 1
Member Since ‎08-31-2021
Activity Feed
Topics I've Started
View All

Re: subsearch matching latest

by in Splunk Search
‎09-01-2021 06:45 AM
1 Karma
‎09-01-2021 06:45 AM
1 Karma
I got it working with something like: ("A" OR "B") randomField=*X* | join [search randomField=*X* ("A" OR "B" OR "C" OR "D") | dedup randomField] table randomField _time ... View more

subsearch matching latest

by in Splunk Search
‎08-31-2021 02:44 PM
‎08-31-2021 02:44 PM
I'm trying to create a query that basically says:   Show me events that contain A, B, C or D where the latest is A or B.   I believe I  could do this with a subsearch: "A" or "B" randomfield=X [search ("A" or "B" or "C" or "D") randomfield=X | head 1] I know the first part pulls the right data, and the 2nd part pulls the right data, I just can't get them both to return the one result that I want.   I also tried this as a transaction: "A" OR "C"randomfield=X | transaction startswith="A" endswith="C" keepevicted=t | search closed_txn=0 | stats count by randomField   But I realized there are more than just one possible start and one possible end.   I just want to make sure that the LAST result from a list of specific events is a smaller list of specific events.   Thanks! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎09-01-2021 10:42 AM
Karma from
View All
Karma given to
View All