Re: Filter Multiple Event Results Into A Single Va...

dunsha · ‎05-29-2017

I would like to return the value of a string only once even if it shows up multiple times in splunk. For example:

"rscprod" "rscapirequestresponse" "caseId"// : //"2209102486"

The search above returns multiple 200+ events, I would like my search to research count = 1 for <"caseId"// : //"2209102486">

kmorris_splunk · ‎05-29-2017

You could use dedup on the caseId field, provided it is being extracted:

[YOUR BASE SEARCH]
| dedup caseId

adonio · ‎05-29-2017

hope i understand you correctly,
try: your search for string here | head 1

lukas_loder · ‎05-29-2017

Or do you want to count for each caseId?
so you get a list like:
caseId1 count=2
caseId2 count=1
caseId3 count=5

| stats count by caseId

Filter Multiple Event Results Into A Single Value