Sorry for the confusing title. Let me explain
When I query this search
| rex field=_raw "Session (?<number>\\w+) (\\((?<username>\\w+)@|)"
I get the following output.
Session 11111 ended
Session 11111 (user1@<ipaddress>) started
Session 55555 (user2@<ipaddress>) started
What I want to do is see the sessions that have been started and not finished. I've been able to capture a field for both the number (11111,55555) and the user (user1, user2). The way I was thinking about doing this is to display only the logs that have a field:number-count equal to 1. In this case, I only want the line with 55555 to display (because there is only 1 instance of it) and do not want the number 1111 to display (as it appears twice).
What is the best way to go about displaying the fields that contains unique instances? Is there a better way to go about doing this?
Thanks in advance!
Doing some more searching, I found this thread:
and now have an answer to my question. The query should look like this:
| eventstats count by number | search count = 1
Thanks for helping me along!
Doing some more searching, I found this thread:
and now have an answer to my question. The query should look like this:
| eventstats count by number | search count = 1
Thanks for helping me along!
try |eventstats count(number) as Value|where Value = 1
That should limit it to events which have one occurrence.
hmm... not quite. It looks like this just counts the number of occurrences of the field number as opposed to marking the events that have one occurrence.