https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/628073#M218199 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253010">@anrak33</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 24 Jan 2023 07:39:46 GMT gcusello 2023-01-24T07:39:46Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627427#M218028 <P>My data looks like the following&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="20%" height="25px"><EM>student_id</EM></TD> <TD width="20%" height="25px"><EM>browser_id</EM></TD> <TD width="20%" height="25px"><EM>guid</EM></TD> <TD width="20%" height="25px"><EM>datetime</EM></TD> <TD width="20%" height="25px"><EM>x_id</EM></TD> </TR> <TR> <TD width="20%" height="25px">12_a</TD> <TD width="20%" height="25px">Chrome_2</TD> <TD width="20%" height="25px">1122</TD> <TD width="20%" height="25px">1/9/23 14:45</TD> <TD width="20%" height="25px">788a</TD> </TR> <TR> <TD width="20%" height="25px">13_a</TD> <TD width="20%" height="25px">Chrome_4</TD> <TD width="20%" height="25px">1213</TD> <TD width="20%" height="25px">1/12/23 19:13</TD> <TD width="20%" height="25px">33b</TD> </TR> <TR> <TD width="20%" height="25px">14_a</TD> <TD width="20%" height="25px">Chrome_3</TD> <TD width="20%" height="25px">1422</TD> <TD width="20%" height="25px">1/13/23 1:42</TD> <TD width="20%" height="25px">24c</TD> </TR> <TR> <TD width="20%" height="25px">15_b</TD> <TD width="20%" height="25px">FireFox_1</TD> <TD width="20%" height="25px">1289</TD> <TD width="20%" height="25px">1/16/23 15:46</TD> <TD width="20%" height="25px">&nbsp;12d</TD> </TR> <TR> <TD width="20%" height="25px">12_a</TD> <TD width="20%" height="25px">Chrome_2</TD> <TD width="20%" height="25px">1132</TD> <TD width="20%" height="25px">1/11/23 21:50</TD> <TD width="20%" height="25px">788a</TD> </TR> </TBODY> </TABLE> <P><BR />Ideally, we shouldn't have different guids given same student_id, browser_id and x_id. I am trying to find all those student_ids who violate this rule aka student_ids with same browser_id and x_id but different guid. So for the above, I'd like to see something like -&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">12_a Chrome_2 1122 1/9/23 14:45 788a 12_a Chrome_2 1132 1/11/23 21:50 788a</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><BR />I am trying -&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index="main_idx" app="student_svc" | stats count by student_id browser_id guid datetime x_id | where count &gt; 1 | stats list(count) by student_id</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>But it doesn't seem to be yielding the result. What should be the fix? Thanks<BR /><BR /></P> Tue, 24 Jan 2023 15:11:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627427#M218028 anrak33 2023-01-24T15:11:39Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627429#M218029 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253010">@anrak33</a>,</P><P>let me understand: for each student_id you should have only one&nbsp;<SPAN>uids, browser_id and x_id, is it correct?</SPAN></P><P><SPAN>if this is your need, you should try to use dc function in stats command, so to have the ex eption you could run&nbsp;something like this:</SPAN></P><LI-CODE lang="markup">index="main_idx" app="student_svc" | stats dc(browser_id) AS browser_id_count dc(guid) AS guid_count dc(x_id) AS x_id_count BY student_id | where browser_id_count&gt;1 OR guid_count&gt;1 OR x_id_count&gt;1</LI-CODE><P>See my approach and adapt my sample to your needs.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 18 Jan 2023 07:21:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627429#M218029 gcusello 2023-01-18T07:21:39Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627431#M218030 <P>Thanks&nbsp;<SPAN><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp; - it seems close - one thing I want to get rid of in the search is empty guid - how to add that?<BR />And the problem statement is for&nbsp;each (student_id + browser_id + x_id) there should be one guid.</SPAN></P> Wed, 18 Jan 2023 07:48:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627431#M218030 anrak33 2023-01-18T07:48:45Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627437#M218032 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253010">@anrak33</a>,</P><P>please try this:</P><LI-CODE lang="markup">index="main_idx" app="student_svc" | fillnull guid value="empty" | stats dc(browser_id) AS browser_id_count dc(guid) AS guid_count dc(x_id) AS x_id_count dc(eval(if(guid="empty",1,0))) AS empty_guid_count BY student_id | where browser_id_count&gt;1 OR guid_count&gt;1 OR x_id_count&gt;1 OR empty_guid_count&gt;0</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Wed, 18 Jan 2023 09:53:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627437#M218032 gcusello 2023-01-18T09:53:20Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627948#M218160 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;thx&nbsp; - this is not exactly giving me the result I want though.&nbsp;</P><P>I want all the student_ids who has more than 1 guid for a particular browser_id and x_id combination.</P><P>I tried changing the ORs to ANDs but no luck.</P> Mon, 23 Jan 2023 08:33:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627948#M218160 anrak33 2023-01-23T08:33:53Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627950#M218162 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253010">@anrak33</a>,</P><P>you can add also&nbsp;<SPAN>browser_id and x_id&nbsp;to the grouping keys or buid a different where condition, in this case, remember to use paranthesis.</SPAN></P><P><SPAN>Ciao.</SPAN></P><P><SPAN>Giuseppe</SPAN></P> Mon, 23 Jan 2023 08:42:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/627950#M218162 gcusello 2023-01-23T08:42:09Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/628072#M218198 <P>thanks</P> Tue, 24 Jan 2023 07:36:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/628072#M218198 anrak33 2023-01-24T07:36:54Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/628073#M218199 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/253010">@anrak33</a>,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 24 Jan 2023 07:39:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-for-group-by-and-filter-query/m-p/628073#M218199 gcusello 2023-01-24T07:39:46Z