Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Filter Search - Only Results with One Field Value per Entry

bcarr12
Path Finder
‎05-02-2013 01:55 PM

Hi all,

Is there any quick/straightforward way to filter results of a search so that only search results that have one occurrence of a field in them are displayed.

For example, I have a search that returns results where some have one occurrence of "transaction id" (always a unique number) and other results have multiple occurrences within that one result entry. I am trying to filter my search so it only includes results with one transaction id. What would be the best way to do this? Is this something that defining a transaction could help with?

0 Karma
Reply

Ayn
Legend
‎05-02-2013 02:00 PM

If multiple ID's result in a multivalued field containing the respective values, you could do:

yourbasesearch | where mvcount(transaction_id)=1
Reply

bcarr12
Path Finder
‎05-02-2013 02:10 PM

Hmm...I ran the search with this command but the results did not change. I apologize I cannot post the exact search and results due to the data generated, but the overall idea is that some results look like this:

....transaction_id=123456789....

while other results look like this:
...transaction_id:02345678....transaction_id:0028746553...transaction_id:9948777553...

So the idea is that I would only want to return results that have one transaction_id field value in them, as opposed to ones where there are multiple transaction_id occurrences in one result.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...