Solved: Re: searching in the field

abi2023 · ‎05-01-2023

my Spl is
my base search | transaction ID | stats count values(Date) as Date value(field1) as field1 by ID

I get result

Date field1 ID
02/20/23. CCC 10
02/10/23
02/05/23

02/10/23. CC 08
02/05/23

02/01/23 C 01

Is there anyway in Splunk to search in Date field?

I am try to display result without Date 02/20/23

I try search Date!="02/20/23" and where Date="02/20/23" can anyone help is do able in splunk?

somesoni2 · ‎05-01-2023

Give this a try

my base search 
| transaction ID 
| stats count values(Date) as Date value(field1) as field1 by ID
| where isnull(mvfind(Date,"02\/20\/23"))

View solution in original post

somesoni2 · ‎05-01-2023

Give this a try

my base search 
| transaction ID 
| stats count values(Date) as Date value(field1) as field1 by ID
| where isnull(mvfind(Date,"02\/20\/23"))

abi2023 · ‎05-01-2023

for the same spl but If I only want latest result show. how can I modify the search? assuming I don't know last event date.

somesoni2 · ‎05-02-2023

Since the mvfind function only support one field reference, it would be difficult to do filter based on dynamic latest Date value. Try this alternate implementation

my base search 
| eventstats latest(Date) as latestDate
| eval shouldInclude=if(Date=latestDate,1,0)
| transaction ID 
| stats count values(Date) as Date value(field1) as field1 max(shouldInclude) as shouldInclude by ID
| where shouldInclude=1

Is there anyway in Splunk to search in Date field?

stats

table

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?