Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filter Search - Only Results with One Field Value per Entry

bcarr12
Path Finder
‎05-02-2013 01:55 PM

Hi all,

Is there any quick/straightforward way to filter results of a search so that only search results that have one occurrence of a field in them are displayed.

For example, I have a search that returns results where some have one occurrence of "transaction id" (always a unique number) and other results have multiple occurrences within that one result entry. I am trying to filter my search so it only includes results with one transaction id. What would be the best way to do this? Is this something that defining a transaction could help with?

0 Karma
Reply

Ayn
Legend
‎05-02-2013 02:00 PM

If multiple ID's result in a multivalued field containing the respective values, you could do:

yourbasesearch | where mvcount(transaction_id)=1
Reply

bcarr12
Path Finder
‎05-02-2013 02:10 PM

Hmm...I ran the search with this command but the results did not change. I apologize I cannot post the exact search and results due to the data generated, but the overall idea is that some results look like this:

....transaction_id=123456789....

while other results look like this:
...transaction_id:02345678....transaction_id:0028746553...transaction_id:9948777553...

So the idea is that I would only want to return results that have one transaction_id field value in them, as opposed to ones where there are multiple transaction_id occurrences in one result.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...