https://community.splunk.com/t5/Splunk-Search/How-do-I-dedup-duplicate-values-including-that-value-itself/m-p/615622#M213936 <P>Thanks for the reply. I wanted to have the timestamp of the occurrence as well. I went to do more research and apparently I can add this:</P><PRE>| stats count as count, earliest(_time) by&nbsp;username&nbsp;|&nbsp;where&nbsp;count=1</PRE><P>&nbsp;</P> Mon, 03 Oct 2022 09:50:10 GMT charlottelimcl 2022-10-03T09:50:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-dedup-duplicate-values-including-that-value-itself/m-p/615619#M213934 <P>Hi everyone, I am new to splunk. I am looking at windows event logs for the EventCode=4725 for all usernames within a week's timeframe. What I want is to remove username results if there are more than 1 count for this eventcode including that username, and then list in a table to show the timestamp and username when the eventcode occurred.</P><P><STRONG>Example:</STRONG></P><P>Usernames with EventCode=4725 recorded within 1 week:</P><P>&nbsp;</P><P>Day 1 10pm : anna</P><P>Day 1 11pm : betty</P><P>Day 3 10pm : anna</P><P>Day 3 1pm :&nbsp; charlie</P><P>Day 7 2pm : zach</P><P>&nbsp;</P><P><STRONG>Final result I want is:</STRONG></P><P>Day 1 11pm : betty</P><P>Day 3 1pm :&nbsp; charlie</P><P>Day 7 2pm : zach</P><P>From the above we have 'anna' removed completely from as her event showed up more than once.&nbsp;</P><P>&nbsp;</P><P>This is my original query:</P><PRE>index=wineventlog EventCode=4725<BR />| fields *<BR />| eval timestamp=strftime(_time, "%Y-%m-%dT%H:%M"%S")<BR />| stats count by username | where username = 1</PRE><P>I then realised the problem with using stats count by,&nbsp; because I wouldnt be able to show the timestamp for the results result this is in statistics.&nbsp;</P><P>I have thought of using dedup to remove duplicate values, but I have not found a way to remove duplicate values including that value itself.</P><P>Please help. Thank you</P> Mon, 03 Oct 2022 09:14:19 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-dedup-duplicate-values-including-that-value-itself/m-p/615619#M213934 charlottelimcl 2022-10-03T09:14:19Z https://community.splunk.com/t5/Splunk-Search/How-do-I-dedup-duplicate-values-including-that-value-itself/m-p/615620#M213935 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/250014">@charlottelimcl</a>,</P><P>let me understand:</P><P>you want to display only usernames that are only one time in your events, is this corret?</P><P>if this is your need, please try this:</P><LI-CODE lang="markup">index=wineventlog EventCode=4725 | stats count BY username | where count=1</LI-CODE><P>&nbsp;Ciao.</P><P>Giuseppe</P> Mon, 03 Oct 2022 09:26:06 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-dedup-duplicate-values-including-that-value-itself/m-p/615620#M213935 gcusello 2022-10-03T09:26:06Z https://community.splunk.com/t5/Splunk-Search/How-do-I-dedup-duplicate-values-including-that-value-itself/m-p/615622#M213936 <P>Thanks for the reply. I wanted to have the timestamp of the occurrence as well. I went to do more research and apparently I can add this:</P><PRE>| stats count as count, earliest(_time) by&nbsp;username&nbsp;|&nbsp;where&nbsp;count=1</PRE><P>&nbsp;</P> Mon, 03 Oct 2022 09:50:10 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-dedup-duplicate-values-including-that-value-itself/m-p/615622#M213936 charlottelimcl 2022-10-03T09:50:10Z https://community.splunk.com/t5/Splunk-Search/How-do-I-dedup-duplicate-values-including-that-value-itself/m-p/615623#M213937 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/250014">@charlottelimcl</a>,</P><P>yes, it's correct.</P><LI-CODE lang="markup">index=wineventlog EventCode=4725 | stats count earliest(_time) AS timestamp BY username | where count=1 | eval timestamp=strftime(timestamp,"%Y-%m-%dT%H:%M"%S")</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Mon, 03 Oct 2022 09:55:59 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-dedup-duplicate-values-including-that-value-itself/m-p/615623#M213937 gcusello 2022-10-03T09:55:59Z