topic Re: Get logs with a distinct value of a field in Splunk Search

Get logs with a distinct value of a field

ank15july96 — Thu, 11 Apr 2019 16:42:09 GMT

I saw some similar questions but none seem to work

In my splunk logs, I have this field called TransactionID: 6c5802f0-c317-4d3a-9211-2ed7a10a5d7f -> 46314ef3-dac8-4756-902a-76fc61255d11 in my logs
A transaction can have multiple errors but I just want to find how many transactions did error occur in instead of total number of errors.
In other words, I want logs of distinct TransactionID that has error.

I tried index=bc-dag-app AND ERROR | dedup TransactionID but it didn't work.
Can someone please advise?

PS: I am super-new to splunk so I'm sorry if it's a straight forward/stupid question

Re: Get logs with a distinct value of a field

cvssravan — Thu, 11 Apr 2019 17:33:23 GMT

Hi,

Actually dedup TransactionID should work if you are looking for distinct transactions.

But if you are looking for all the logs per each transaction, you can try transaction command.

index=bc-dag-app AND ERROR | transaction TransactionID

Hope, it helps.

Re: Get logs with a distinct value of a field

ank15july96 — Thu, 11 Apr 2019 20:08:53 GMT

I tried the above query but it did not yield any result. 😕

Re: Get logs with a distinct value of a field

Vijeta — Thu, 11 Apr 2019 21:17:01 GMT

@ank15july96 First make sure your TransactionID field is being extracted. If it is, then use below query -

index=bc-dag-app AND ERROR | stats dc(TransactionID) as error_count