Solved: How to only display unique values from a field?

lordhans · ‎11-16-2017

I am searching the my logs for key IDs that can either be from group 'AA' or group 'BB'. I find them by using rex and then display them in a table. (AA_12345 for example).

"ns=myApplication" "trying to insert document with keyId:"| rex field=message "(?<id>(AA_\d+)|(BB_\d+))" | table id

Some of those key IDs are duplicates. I only want to show unique key IDs in the table. How can I do this? Based on some posts I found on here there is something called 'dedup' that might be useful here but I can't figure out where I'd insert it in my search query.

Any help is appreciated, thanks!

somesoni2 · ‎11-16-2017

Try like this

"ns=myApplication" "trying to insert document with keyId:"| rex field=message "(?<id>(AA_\d+)|(BB_\d+))" | table id | dedup id

OR (stats will remove duplicates as well)

"ns=myApplication" "trying to insert document with keyId:"| rex field=message "(?<id>(AA_\d+)|(BB_\d+))" | stats count by id | table id

View solution in original post

somesoni2 · ‎11-16-2017

Try like this

"ns=myApplication" "trying to insert document with keyId:"| rex field=message "(?<id>(AA_\d+)|(BB_\d+))" | table id | dedup id

OR (stats will remove duplicates as well)

"ns=myApplication" "trying to insert document with keyId:"| rex field=message "(?<id>(AA_\d+)|(BB_\d+))" | stats count by id | table id

How to only display unique values from a field?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation