- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lordhans
Explorer
11-16-2017
01:34 PM
I am searching the my logs for key IDs that can either be from group 'AA' or group 'BB'. I find them by using rex and then display them in a table. (AA_12345 for example).
"ns=myApplication" "trying to insert document with keyId:"| rex field=message "(?<id>(AA_\d+)|(BB_\d+))" | table id
Some of those key IDs are duplicates. I only want to show unique key IDs in the table. How can I do this? Based on some posts I found on here there is something called 'dedup' that might be useful here but I can't figure out where I'd insert it in my search query.
Any help is appreciated, thanks!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-16-2017
01:38 PM
Try like this
"ns=myApplication" "trying to insert document with keyId:"| rex field=message "(?<id>(AA_\d+)|(BB_\d+))" | table id | dedup id
OR (stats will remove duplicates as well)
"ns=myApplication" "trying to insert document with keyId:"| rex field=message "(?<id>(AA_\d+)|(BB_\d+))" | stats count by id | table id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
11-16-2017
01:38 PM
Try like this
"ns=myApplication" "trying to insert document with keyId:"| rex field=message "(?<id>(AA_\d+)|(BB_\d+))" | table id | dedup id
OR (stats will remove duplicates as well)
"ns=myApplication" "trying to insert document with keyId:"| rex field=message "(?<id>(AA_\d+)|(BB_\d+))" | stats count by id | table id
