cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
ripson
Engager
Member since: ‎12-06-2023
‎12-06-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-06-2023
Activity Feed
Topics I've Started
View All

Re: Filtering data for stats purpose

by in Splunk Search
‎12-06-2023 07:06 AM
‎12-06-2023 07:06 AM
Thank you so much! This is UUID actually but I have added a pattern and it works perfectly! ... View more

Filtering data for stats purpose

by in Splunk Search
‎12-06-2023 04:09 AM
‎12-06-2023 04:09 AM
I am using Splunk 9.0.4 and I need to make a query where I extract data from a main search. So I am interested in results from the main search:   stage=it sourcetype=some_type NOT trid="<null>" reqest="POST /as/*/auth *"   But then I need filter out results from the main search, using a subsearch that operates on a different data set, using a value from a field from the main search, let's call it trid, and trid is a string that might be part of a  value called message in a subsearch. There might be more results in the subsearch, but if there is at least one result in a subsearch then the result from the main search stays in the main search, if not it should not be included in the main search. So I am interested only in the results from the main search, and the subsearch is only used to filter out some of them that does not match.   stage=it sourcetype=some_type NOT trid="<null>" reqest="POST /as/*/auth *" | fields trid [ search stage=it sourcetype=another_type | eval matches_found=if(match(message, "ID=PASSLOG_" + trid), 1, 0) | stats max(matches_found) as matches_found ] | where matches_found>0   After a few hours I cannot figure out how to make it. What is wrong with it? Please advise. ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎12-06-2023 12:45 PM