Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

trying to find if there is an suggestion to capture only the values that occurs in more than one event with a different value

Deepz2612
Explorer
‎03-14-2019 11:08 PM

Hi Team,

I would like to know if there is any way to extract/find only the values that is present in more than one event with different values associated.
To explain further on the scenario,below are the logs.

 msg:    for-service - [2019-03-15T06:01:05.554+0000] "GET /api/for*&byr=**12355**" 404

Please help!!
Thanks in advance!

Tags (1)
0 Karma
Reply

sandeepmakkena
Contributor
‎10-25-2019 01:34 PM 
|rex "vin\=(?P<vin>[^\"]+)\"\s(?P<status>\d+)"
| stats dc(status) as StatusDC, values(status)  by vin 
| where StatusDC>1 
| table vin

I think this should help.
You can see dc(status), values of all the Status by vin by removing, where and table part to test.
Thanks!

0 Karma
Reply

woodcock
Esteemed Legend
‎10-25-2019 01:07 PM

Like this:

... | rex "vin\=(?P<vin>[^\"]+)\"\s(?P<status>\d+)"
| stats dc(status) AS status_count values(status) BY vin
| search status_count > 1
0 Karma
Reply

nickhills
Ultra Champion
‎03-15-2019 02:36 AM

Hi @Deepz2612
Try adding this to the end of your search.

|rex "vin\=(?P<vin>[^\"]+)\"\s(?P<status>\d+)"|stats dc(vin) by vin, status
If my comment helps, please give it a thumbs up!
0 Karma
Reply

Deepz2612
Explorer
‎03-15-2019 05:17 AM

Hi nick,
Thanks!
But my requirement is to list "only" the vins which occurs more than once in logs but with different response code.

0 Karma
Reply

nickhills
Ultra Champion
‎03-15-2019 05:21 AM

Ah, so flip the dc, and use eventstats.
|rex "vin\=(?P<vin>[^\"]+)\"\s(?P<status>\d+)"|eventstats dc(status) by vin as status_count|where status_count>1|table _time vin status
(untested - typed on a phone)

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...