Archive

Filter Multiple Event Results Into A Single Value

New Member

I would like to return the value of a string only once even if it shows up multiple times in splunk. For example:

"rscprod" "rscapirequestresponse" "caseId"// : //"2209102486"

The search above returns multiple 200+ events, I would like my search to research count = 1 for <"caseId"// : //"2209102486">

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

You could use dedup on the caseId field, provided it is being extracted:

[YOUR BASE SEARCH]
| dedup caseId
0 Karma

SplunkTrust
SplunkTrust

hope i understand you correctly,
try: your search for string here | head 1

0 Karma

Communicator

Or do you want to count for each caseId?
so you get a list like:
caseId1 count=2
caseId2 count=1
caseId3 count=5

| stats count by caseId
0 Karma