topic Re: Filter search string to field with only 1 specific value in Splunk Search

Filter search string to field with only 1 specific value

lbkAconectodk — Fri, 12 Apr 2019 09:03:53 GMT

I want to output computers who only has started 1 specific application
Field values: Application + Computers

There is multiple computers and multiple applications in the datafile.
So i want to list all computers who only have 1 specific value in the Application field.

Example
If Computer1 has ApplicationA, ApplicationB and ApplicationC in the Application field list, I do not want Computer1 in the output
If Computer2 ONLY have ApplicationA in the Application field list. Then I want Computer2 in the Output

Thank you in advance

Re: Filter search string to field with only 1 specific value

harshpatel — Fri, 12 Apr 2019 09:27:39 GMT

Hope this helps:

your search | stats count as app_count, values(APPLICATION_FIELDNAME) by COMPUTER_FIELDNAME | where app_count=1

for reference:
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Stats

Re: Filter search string to field with only 1 specific value

lbkAconectodk — Fri, 12 Apr 2019 12:37:20 GMT

Unfortunately this still gives me computers which have multiple entries in the application field.

But will try look into the stats function

Re: Filter search string to field with only 1 specific value

harshpatel — Wed, 30 Sep 2020 00:05:13 GMT

If you have duplicate events you should perform dedup first:
| dedup computer, application
| stats count as app_count, values(application) by computer
| where app_count=1

Re: Filter search string to field with only 1 specific value

lbkAconectodk — Fri, 12 Apr 2019 12:57:50 GMT

To add some more information to my Question. The data is regarding which applications that was started from specific computers. So i want to filter out computers that have started more than 1 application, or even a specific application if that helps.

I tried dedup, but it still shows computer if they have more applications.
This is example of the output.. I only want PC005291 to be showed if 1 unique entry with application

       Field                              Field                                    Field            Field
    _time                           Application                        Activity        extracted_Host
05/09/201811:48:27.000  Autostart SP IE11             Proxy           PC005291

05/09/2018 11:45:54.000 VA - login til StoreFront   Proxy           PC005291

Thanks

Re: Filter search string to field with only 1 specific value

riddhichandaran — Fri, 12 Apr 2019 13:11:46 GMT

Hey, can you please try this

 your search | stats count(computer) as count by application | where count=1

hope this will help!

Re: Filter search string to field with only 1 specific value

harshpatel — Mon, 15 Apr 2019 07:05:36 GMT

Hi @lbkAconectodk, Does the application field have a comma-separated list of applications?

And I realized query should return the same with or without dedup because of our stats command.

Re: Filter search string to field with only 1 specific value

harshpatel — Mon, 15 Apr 2019 07:11:07 GMT

I've tried to test this using the following query. Maybe you can check and tell me if I'm understanding it wrong somewhere:
| makeresults count=10
| eval application="app".random()%10
| eval computer="computer".random()%6
| stats values(application) as apps by computer
| where mvcount(apps)=1