Splunk Search

How do I filter the results of my stats search with a where condition?

TobiasBoone
Communicator

The pipeline logic of this discrete math is kicking me hard today. I need to be able to find a list of laptops that are checking into inventory over the past 30 days from off-premise, but have not checked in from on-premise.

I have a working search that gathers my entire inventory and looks up the client's address and returns subnet_descriptions. From that search I get ~100 results; anything unknown comes back as NONE where NONE means that it was off-premise. With this it is very easy to | where subnet_description = "NONE" but these results include machines that also checked in from on-premise in the same 30 days.

I can | stats count by machinename and then | where count = 1 which would get me close, but it wouldn't tell me if that 1 location was also "NONE" and because stats truncates off the subnet_description, I cannot do a subsequent | where ...

I can | stats count by machinename subnet_description but the count is then based upon the two criteria together and one machine gets multiple lines and again I can only filter on one.

I need some ideas on how to get just the overlap in these searches and essentially do a | stats count(machinename) | where count machinename = 1 and subnet_description="NONE"

Any brain checks would be greatly appreciated.

Tags (4)
0 Karma

woodcock
Esteemed Legend

You need eventstats. Try using | eventstats count AS CountByMachineName by machinename first. See what this does and go from there.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...