Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Display logs that have a unique field-value

Splunkster45
Communicator
‎10-07-2014 09:52 AM

Sorry for the confusing title. Let me explain

When I query this search

| rex field=_raw "Session (?<number>\\w+) (\\((?<username>\\w+)@|)"

I get the following output.

Session 11111 ended
Session 11111 (user1@<ipaddress>) started
Session 55555 (user2@<ipaddress>) started

What I want to do is see the sessions that have been started and not finished. I've been able to capture a field for both the number (11111,55555) and the user (user1, user2). The way I was thinking about doing this is to display only the logs that have a field:number-count equal to 1. In this case, I only want the line with 55555 to display (because there is only 1 instance of it) and do not want the number 1111 to display (as it appears twice).

What is the best way to go about displaying the fields that contains unique instances? Is there a better way to go about doing this?

Thanks in advance!

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Splunkster45
Communicator
‎10-07-2014 11:56 AM

Doing some more searching, I found this thread:

http://answers.splunk.com/answers/55060/only-alert-if-event-happens-x-times-but-display-all-events.h...

and now have an answer to my question. The query should look like this:
| eventstats count by number | search count = 1

Thanks for helping me along!

View solution in original post

Reply
Solved! Jump to solution
Solution

Splunkster45
Communicator
‎10-07-2014 11:56 AM

Doing some more searching, I found this thread:

http://answers.splunk.com/answers/55060/only-alert-if-event-happens-x-times-but-display-all-events.h...

and now have an answer to my question. The query should look like this:
| eventstats count by number | search count = 1

Thanks for helping me along!

Reply
Solved! Jump to solution

theouhuios
Motivator
‎10-07-2014 10:40 AM

try |eventstats count(number) as Value|where Value = 1

That should limit it to events which have one occurrence.

0 Karma
Reply
Solved! Jump to solution

Splunkster45
Communicator
‎10-07-2014 11:21 AM

hmm... not quite. It looks like this just counts the number of occurrences of the field number as opposed to marking the events that have one occurrence.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...