Re: Search under same field value

enpingtu · ‎03-02-2021

We have below log event rows -

correlationKey=abc msg="create cache for 123"
correlationKey=abc "read cache for 123"
correlationKey=mno "create cache for 456"
correlationKey=mno "read cache for 456"
correlationKey=xyz "read cache for 123"

From the data, we may notice that correlationKey abc/mno have both create/read. But for correlationKey xyz, it does not have "create cache" log, but "read cache" only.

We need to find all correlationKey values w/o log entry "create cache for". (abc/mno do not qualify. Only xyz qualify.)

Appreciate your great help!

- ET

ITWhisperer · ‎03-02-2021

| eval created=if(match(msg,"create cache"),"true",null)
| stats values(created) as created by correlationKey
| where NOT created="true"

enpingtu · ‎03-02-2021

Appreciate!

gcusello · ‎03-02-2021

Hi @enpingtu,

You could try something like this:

your_search
| eval qualify=case(searchmatch("create cache for"),"Create", searchmatch("read cache for"),"Read"
| stats dc(qualify) AS dc_qualify values(qualify) AS qualify BY correlationKey
| eval status=if(dc_qualify=2,"Qualify","Do not Qualify")
| table correlationKey status

Ciao.

Giuseppe

Search under same field value

eval

field extraction

subsearch

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk