I want to output computers who only has started 1 specific application
Field values: Application + Computers
There is multiple computers and multiple applications in the datafile.
So i want to list all computers who only have 1 specific value in the Application field.
Example
If Computer1 has ApplicationA, ApplicationB and ApplicationC in the Application field list, I do not want Computer1 in the output
If Computer2 ONLY have ApplicationA in the Application field list. Then I want Computer2 in the Output
Thank you in advance
Hey, can you please try this
your search | stats count(computer) as count by application | where count=1
hope this will help!
Hope this helps:
your search | stats count as app_count, values(APPLICATION_FIELDNAME) by COMPUTER_FIELDNAME | where app_count=1
for reference:
https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Stats
Unfortunately this still gives me computers which have multiple entries in the application field.
But will try look into the stats function
If you have duplicate events you should perform dedup first:
| dedup computer, application
| stats count as app_count, values(application) by computer
| where app_count=1
To add some more information to my Question. The data is regarding which applications that was started from specific computers. So i want to filter out computers that have started more than 1 application, or even a specific application if that helps.
I tried dedup, but it still shows computer if they have more applications.
This is example of the output.. I only want PC005291 to be showed if 1 unique entry with application
Field Field Field Field
_time Application Activity extracted_Host
05/09/201811:48:27.000 Autostart SP IE11 Proxy PC005291
05/09/2018 11:45:54.000 VA - login til StoreFront Proxy PC005291
Thanks
Hi @lbkAconectodk, Does the application field have a comma-separated list of applications?
And I realized query should return the same with or without dedup because of our stats command.
I've tried to test this using the following query. Maybe you can check and tell me if I'm understanding it wrong somewhere:
| makeresults count=10
| eval application="app".random()%10
| eval computer="computer".random()%6
| stats values(application) as apps by computer
| where mvcount(apps)=1