×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
joseftw
Explorer
Member since: ‎05-28-2020
‎06-05-2020
Community Statistics
Posts 4
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎05-28-2020
View All

Re: Filter out events based on other events WITHOU...

by in Splunk Search
‎06-01-2020 11:54 AM
‎06-01-2020 11:54 AM
Managed to solve it like this: index=events AccountId=* (EventName=AccountCreated OR EventName=FavoriteCreated) | stats values(Brand) as Brand, values(DeviceType) as DeviceType, values(Email) as Email, values(EventName) as EventName values(EventTime) as EventTime, values(Locale) as Locale, values(ClientIp) as ClientIp by AccountId | where mvcount(EventName)>1 | eval EventName=mvindex(EventName,0) | eval EventTime=mvindex(EventTime,0) | eval ClientIp=mvindex(ClientIp,0) | eval DeviceType=mvindex(DeviceType,0) ... View more

Re: Filter out events based on other events WITHOU...

by in Splunk Search
‎05-29-2020 03:11 AM
‎05-29-2020 03:11 AM
Basically "Return this AccountEvent IF 1 or more FavoriteCreated event exists with the same AccountId" ... View more

Re: Filter out events based on other events WITHOU...

by in Splunk Search
‎05-29-2020 03:10 AM
‎05-29-2020 03:10 AM
Hello! Thank you for your answer! I tried it but it does not work for me. It returns BOTH AccountCreated and FavoriteCreated events, I only want the query to return AccountCreated events. This is my first day with Splunk so please bare with me... 🙂 If you have time, please look at my two examples I provided (they work but are using subsearch/join). I basically want to translate one of those queries to something that does not use join/subsearch. Thank you for your help! ... View more

Filter out events based on other events WITHOUT us...

by in Splunk Search
‎05-29-2020 01:07 AM
‎05-29-2020 01:07 AM
I have a index named Events Example events: AccountCreated { "AccountId": 1234, "EventName": "AccountCreated", "SomeOtherProperty": "Some value" } FavoriteCreated { "AccountId": 1234, "EventName": "FavoritesCreated } Let's say that I have a bunch of these events, like millions. Now, I want to create a query that returns the AccountCreated event IF 1 (or more) FavoriteCreated event exists with the same AccountId. I've tried the following query and it works index=events EventName=AccountCreated [search index=events EventName=FavoriteCreated | dedup AccountId | fields AccountId] | table AccountId, SomeOtherProperty The only problem with that one is that it's using a subsearch and im hitting the 10000 results limit. So then I tried using a JOIN instead (this also works) index=events EventName=AccountCreated AccountId=* | stats count by AccountId, EventName | fields - count | join AccountId [ | search index=events EventName=FavoriteCreated AccountId=* | stats count by AccountId ] | fields - count | table AccountId, EventName ...but now im facing the 50K events limit (JOIN subsearch). So, I need to be able to write the query without using JOIN and/or subsearch, do you guys have any tips? ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM