Splunk Search

inner search for multiple results

marcus_doron
New Member

I have this type of events:

event1 activity1 data1 date1
event2 activity1 data2 date2
event3 activity1 data3 date3
event4 activity1 id1 data4 date4
event5 activity1 data5 date5
event6 activity1 data6 date6

event7 activity2 data7 date7
event8 activity2 data8 date8
event9 activity2 data9 date9
event10 activity2 data10 date10
event11 activity2 id2 data11 date11
event12 activity2 data12 date12

event13 activity3 data13 date13
event14 activity3 data14 date14
event15 activity3 data15 date15
event16 activity3 data16 date16
event17 activity3 id1 data17 date17
event18 activity3 data18 date18

If I have id1, I would like to see all id1's activities with the first event date:

result for id1:
activity1 date1
activity3 date13

can this be done without using transaction method ?

Tags (1)
0 Karma
1 Solution

sundareshr
Legend

Try this one of these searches...

base search | stats earliest(datefield) as first_event first(idfield) as id by activityfield

*OR*

base search | eventstats earliest(datefield) as first_event values(idfield) as id by activityfield | stats values(first_event) by idfield activitiyfield

View solution in original post

0 Karma

sundareshr
Legend

Try this one of these searches...

base search | stats earliest(datefield) as first_event first(idfield) as id by activityfield

*OR*

base search | eventstats earliest(datefield) as first_event values(idfield) as id by activityfield | stats values(first_event) by idfield activitiyfield
0 Karma

marcus_doron
New Member

Thanks.
The second option works for me. Now I am trying to understand why.

0 Karma

marcus_doron
New Member

IT seems that both searches works,
But they go over all the events in the time range.
Since I know the ID value beforehand, Is there a way to go over only the events that are related to the specific ID ?

Thanks

0 Karma

sundareshr
Legend

The eventstats command copies the idfield to all events that have a matching activityfield and the stats shows the first_event for each idfield/activityfield combination.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Yes it can.

mysearch | stats earliest(datefield), activityfield BY idfield

Obviously substitute in your own field names, but that should get you going.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...