https://community.splunk.com/t5/Getting-Data-In/How-to-return-only-values-that-are-not-unique/m-p/325557#M60505 <P>Currently forwarding all Windows Application Logs with even ID 1000 (AppCrash Event) to splunk. Using this search allows me to see what the top crashing applications in my environment are: </P> <PRE><CODE>EventCode=1000 | top limit=50 Faulting_application_path </CODE></PRE> <P>My problem is many of these events only a single computer is reporting the event so makes it look like a bigger issue when it's not. Is there a way I can do that same search but only if the "ComputerName" value is not unique? Perhaps even something like | where ComputerName &gt; 5?</P> <P>Here is an example event:</P> <PRE><CODE>02/28/2018 12:06:32 PM LogName=Application SourceName=Application Error EventCode=1000 EventType=2 Type=Error ComputerName=ComputerName1.mydomain.com TaskCategory=Application Crashing Events OpCode=Info RecordNumber=272812 Keywords=Classic Message=Faulting application name: CcmExec.exe, version: 5.0.8577.1108, time stamp: 0x5a5e6659 Faulting module name: KERNELBASE.dll, version: 10.0.16299.15, time stamp: 0x4736733c Exception code: 0xe06d7363 Fault offset: 0x0000000000013fb8 Faulting process id: 0x4a8c Faulting application start time: 0x01d3b0b67a98d2b3 Faulting application path: C:\WINDOWS\CCM\CcmExec.exe Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll Report Id: f6e1ae09-3d16-4ba0-addf-98b1b999927c Faulting package full name: Faulting package-relative application ID: </CODE></PRE> <P>TIA!</P> Wed, 28 Feb 2018 17:20:03 GMT Nitroxeno 2018-02-28T17:20:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-return-only-values-that-are-not-unique/m-p/325557#M60505 <P>Currently forwarding all Windows Application Logs with even ID 1000 (AppCrash Event) to splunk. Using this search allows me to see what the top crashing applications in my environment are: </P> <PRE><CODE>EventCode=1000 | top limit=50 Faulting_application_path </CODE></PRE> <P>My problem is many of these events only a single computer is reporting the event so makes it look like a bigger issue when it's not. Is there a way I can do that same search but only if the "ComputerName" value is not unique? Perhaps even something like | where ComputerName &gt; 5?</P> <P>Here is an example event:</P> <PRE><CODE>02/28/2018 12:06:32 PM LogName=Application SourceName=Application Error EventCode=1000 EventType=2 Type=Error ComputerName=ComputerName1.mydomain.com TaskCategory=Application Crashing Events OpCode=Info RecordNumber=272812 Keywords=Classic Message=Faulting application name: CcmExec.exe, version: 5.0.8577.1108, time stamp: 0x5a5e6659 Faulting module name: KERNELBASE.dll, version: 10.0.16299.15, time stamp: 0x4736733c Exception code: 0xe06d7363 Fault offset: 0x0000000000013fb8 Faulting process id: 0x4a8c Faulting application start time: 0x01d3b0b67a98d2b3 Faulting application path: C:\WINDOWS\CCM\CcmExec.exe Faulting module path: C:\WINDOWS\System32\KERNELBASE.dll Report Id: f6e1ae09-3d16-4ba0-addf-98b1b999927c Faulting package full name: Faulting package-relative application ID: </CODE></PRE> <P>TIA!</P> Wed, 28 Feb 2018 17:20:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-return-only-values-that-are-not-unique/m-p/325557#M60505 Nitroxeno 2018-02-28T17:20:03Z https://community.splunk.com/t5/Getting-Data-In/How-to-return-only-values-that-are-not-unique/m-p/325558#M60506 <P>Try something like this. Also try to include at least one metadata field (index sourcetype source host) in your base search for better performance.</P> <PRE><CODE>EventCode=1000 | stats count dc(ComputerName) as ComputerName by Faulting_application_path | where ComputerName&gt;5 | sort 50 -count </CODE></PRE> Wed, 28 Feb 2018 17:33:55 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-return-only-values-that-are-not-unique/m-p/325558#M60506 somesoni2 2018-02-28T17:33:55Z https://community.splunk.com/t5/Getting-Data-In/How-to-return-only-values-that-are-not-unique/m-p/325559#M60507 <P>That did the trick! Thank you very much!</P> Wed, 28 Feb 2018 17:42:19 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-return-only-values-that-are-not-unique/m-p/325559#M60507 Nitroxeno 2018-02-28T17:42:19Z