I want to write a search that returns results in a time frame that is conditional in this manner:
Event A: If field1 = [unique_item {arbitrary ID: 000}] and field2 = [1] then [display this event]
Event B: If field1 = [unique_item {arbitrary ID: 000}] and field2 = [0] then [do not display this event or Event A]
Event C: If field1 = [unique_item {arbitrary ID: 001}] and field2 = [1] then [display this event]
Event D: If field1 = [unique_item {arbitrary ID: 001}] and field2 = [0] then [do not display this event or Event C]
Event E: If field1 = [unique_item {arbitrary ID: 002}] and field2 = [1] then [display this event]
Event F: If field1 = [unique_item {arbitrary ID: 002}] and field2 = [0] then [do not display this event or Event E]
And so on. "Field 1" doesn't not necessarily need to be assigned an ID, I just put that there to illustrate that the value of this field could really be anything. "Field2" will always either be a 1 or a 0.
This is very similar to the question posed here:
[https://answers.splunk.com/answers/137069/find-all-events-not-having-a-corresponding-event-matched-by-one-fields-value-where-not-exists.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev][1]
But I do not have a unique ID per event that will be the same despite field2's value, so I can not make use of the solution there.
Thanks
[1]: https://answers.splunk.com/answers/137069/find-all-events-not-having-a-corresponding-event-matched-by-one-fields-value-where-not-exists.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
↧