https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327368#M159955 <P>I have a table of fields with items that are either a Credit or Debit There can be multiples of the same item. Also, an item can be "backed out" by making it a Debit. Here's a sample:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3251i53D1D372E39DA9A3/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>So, "a" was credited twice and debited once. I'd like the table to show just one "a" (along with the other rows). Any idea how i can do this?</P> Fri, 21 Jul 2017 16:31:13 GMT gregbo 2017-07-21T16:31:13Z https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327368#M159955 <P>I have a table of fields with items that are either a Credit or Debit There can be multiples of the same item. Also, an item can be "backed out" by making it a Debit. Here's a sample:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/3251i53D1D372E39DA9A3/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>So, "a" was credited twice and debited once. I'd like the table to show just one "a" (along with the other rows). Any idea how i can do this?</P> Fri, 21 Jul 2017 16:31:13 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327368#M159955 gregbo 2017-07-21T16:31:13Z https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327369#M159956 <P>You probably have to run some stats/dedup command to collapse duplicate rows. The command/function to use will depend upon what value of "C/D" you want to show. </P> <P>If you want to show all values of C/D for a, </P> <PRE><CODE>your current search giving field line item C/D | stats values("C/D") as "C/D" max(line) as line by item </CODE></PRE> <P>If you just want to show the first/last value for C/D for a</P> <PRE><CODE>your current search giving field line item C/D | stats first("C/D") as "C/D" first(line) as line by item </CODE></PRE> Fri, 21 Jul 2017 16:59:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327369#M159956 somesoni2 2017-07-21T16:59:41Z https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327370#M159957 <P>@gregbo, you will have to add more details for Credit and Debit. For example if a is credited three times and Debited only once, will you have two rows for a?</P> <P>Based on the current question if you want to display only one row per item, you can use dedup</P> <PRE><CODE>&lt;Your Base Search&gt; | dedup item | table line item </CODE></PRE> Fri, 21 Jul 2017 17:01:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327370#M159957 niketn 2017-07-21T17:01:02Z https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327371#M159958 <P>Like this:</P> <PRE><CODE>|makeresults | eval raw="1,a,C::2,j,C::3,q,C::4,a,C::5,l,C::6,a,D::7,m,C::8,r,C" | makemv delim="::" raw | mvexpand raw | rename raw AS _raw | rex "^(?&lt;line&gt;[^,]+),(?&lt;item&gt;[^,]+),(?&lt;CorD&gt;.*)$" | rename COMMENT AS "Everything above generates sample events; everything below is your solution" | stats count(eval(CorD="C")) AS Credits count(eval(CorD="D")) AS Debits BY item | eval CorD = Credits - Debits </CODE></PRE> Sat, 22 Jul 2017 21:02:30 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327371#M159958 woodcock 2017-07-22T21:02:30Z https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327372#M159959 <P>That worked like a charm! Thanks Woodcock!</P> Wed, 26 Jul 2017 14:44:57 GMT https://community.splunk.com/t5/Splunk-Search/How-do-i-display-only-events-that-aren-t-quot-backed-out-quot/m-p/327372#M159959 gregbo 2017-07-26T14:44:57Z