Solved: Query to Find the Value in a Field Just One Time

JaysonD123 · ‎05-20-2021

Good Afternoon,

I am trying to figure out a way to iterate through a list whenever the value is counted one time. I'm hoping it'll make mq so that way my query is speedier. Here's my current query:

index=* eventtype IN(valueA,valueB,valueC) | stats count by eventtype

and the result looks like this:

eventtype count

valueA 102

valueB 407

valueC 1034

What I'd like is a query where if the query finds the value in the field one time, move on to find the next value. This is how I want the output to look like:

eventtype count

valueA 1

valueB 1

valueC 1

Any help would be appreciated.

ITWhisperer · ‎05-20-2021

index=* eventtype IN(valueA,valueB,valueC) | dedup eventtype | stats count by eventtype

View solution in original post

JaysonD123 · ‎05-20-2021

This is close to what I was looking for. Thank you!

ITWhisperer · ‎05-20-2021

index=* eventtype IN(valueA,valueB,valueC) | dedup eventtype | stats count by eventtype

Query to Find the Value in a Field Just One Time

search

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!