Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Filter count?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Trying to output just names where the count=1.
Original Search
Aliases="*hba*" | rex "Aliases:\s+(?<Aliname>\S+)_hba" | chart values(Permanent_Port_Name) by Aliname
Tried variations of the below- most complain that the count function is not supported.
I've checked the documentation & havent found much on how to do this.
Aliases="*hba*" | rex "Aliases:\s+(?<Aliname>\S+)_hba" | where count(Aliname)=1 | chart values(Permanent_Port_Name) by Aliname
Aliases="*hba*" | rex "Aliases:\s+(?<Aliname>\S+)_hba" | search count(Aliname)=1 | chart values(Permanent_Port_Name) by Aliname
Aliases="*hba*" | rex "Aliases:\s+(?<Aliname>\S+)_hba" | eval FAIL=count(Aliname) | where FAIL=1 | chart values(Permanent_Port_Name) by Aliname
Only want to chart where my count=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aliases="*hba*"
| rex "Aliases:\s+(?<Aliname>\S+)_hba"
| chart distinct_count(Permanent_Port_Name) as PortNameCount values(Permanent_Port_Name) by Aliname
| where PortNameCount = 1
This will work, and I think it is what you want. Maybe.
There were several problems with your earlier attempts. First, the where command does not have a count function. Second, the values function returns a list of the values, not a count. The eval command does not have a count function either.
A count can be computed using the stats, chart or timechart commands. However, the count is the number of events - not the number of unique values. The distinct_count function returns the number of unique values of a field. However, you must give the field a name, by using the as clause, if you want to refer to the field in subsequent commands.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Aliases="*hba*"
| rex "Aliases:\s+(?<Aliname>\S+)_hba"
| chart distinct_count(Permanent_Port_Name) as PortNameCount values(Permanent_Port_Name) by Aliname
| where PortNameCount = 1
This will work, and I think it is what you want. Maybe.
There were several problems with your earlier attempts. First, the where command does not have a count function. Second, the values function returns a list of the values, not a count. The eval command does not have a count function either.
A count can be computed using the stats, chart or timechart commands. However, the count is the number of events - not the number of unique values. The distinct_count function returns the number of unique values of a field. However, you must give the field a name, by using the as clause, if you want to refer to the field in subsequent commands.
Data Management Digest – November 2025
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
