Splunk Search

Filter search string to field with only 1 specific value

lbkAconectodk
New Member

I want to output computers who only has started 1 specific application
Field values: Application + Computers

There is multiple computers and multiple applications in the datafile.
So i want to list all computers who only have 1 specific value in the Application field.

Example
If Computer1 has ApplicationA, ApplicationB and ApplicationC in the Application field list, I do not want Computer1 in the output
If Computer2 ONLY have ApplicationA in the Application field list. Then I want Computer2 in the Output

Thank you in advance

Tags (1)
0 Karma

riddhichandaran
Explorer

Hey, can you please try this

 your search | stats count(computer) as count by application | where count=1

hope this will help!

0 Karma

harshpatel
Contributor

Hope this helps:

your search | stats count as app_count, values(APPLICATION_FIELDNAME) by COMPUTER_FIELDNAME | where app_count=1

for reference:
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Stats

0 Karma

lbkAconectodk
New Member

Unfortunately this still gives me computers which have multiple entries in the application field.

But will try look into the stats function

0 Karma

harshpatel
Contributor

If you have duplicate events you should perform dedup first:
| dedup computer, application
| stats count as app_count, values(application) by computer
| where app_count=1

0 Karma

lbkAconectodk
New Member

To add some more information to my Question. The data is regarding which applications that was started from specific computers. So i want to filter out computers that have started more than 1 application, or even a specific application if that helps.

I tried dedup, but it still shows computer if they have more applications.
This is example of the output.. I only want PC005291 to be showed if 1 unique entry with application

       Field                              Field                                    Field            Field
    _time                           Application                        Activity        extracted_Host
05/09/201811:48:27.000  Autostart SP IE11             Proxy           PC005291

05/09/2018 11:45:54.000 VA - login til StoreFront   Proxy           PC005291

Thanks

0 Karma

harshpatel
Contributor

Hi @lbkAconectodk, Does the application field have a comma-separated list of applications?

And I realized query should return the same with or without dedup because of our stats command.

0 Karma

harshpatel
Contributor

I've tried to test this using the following query. Maybe you can check and tell me if I'm understanding it wrong somewhere:
| makeresults count=10
| eval application="app".random()%10
| eval computer="computer".random()%6
| stats values(application) as apps by computer
| where mvcount(apps)=1

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...