Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I filter-out the 'resultToToss' based on the fact there's only 1 'SecondaryField' result for it?

ttovarzoll
Path Finder
‎05-06-2022 02:51 PM

I am trying to create a Splunk Alert which -- well, the details will take too long to explain 🙂

The issue is that I'm generating a stats list where some of the results have a single value while others have multiple, e.g.

PrimaryField SecondaryField
resultToKeep result1
result2
resultToToss

result1

 

How do I filter-out the 'resultToToss' based on the fact there's only 1 'SecondaryField' result for it?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VatsalJagani
Super Champion
‎05-06-2022 10:36 PM

@ttovarzoll - it would be >1

| where mvcount(SecondaryField)>1

View solution in original post

Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎05-06-2022 10:33 PM

Hi @ttovarzoll,

you could add a "dc" option ro your stats command, something like this:

your search
| stats dc(secondaryField) AS dc_secondaryField values(secondaryField) AS secondaryField BY primaryField
| where dc_secondaryField>1

that you can use for your filters.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ttovarzoll
Path Finder
‎05-09-2022 11:10 AM

Giuseppe,

Thanks, that's a great trick! But wouldn't it lose the original values of SecondaryField?

0 Karma
Reply
Solved! Jump to solution

gcusello
Esteemed Legend
‎05-09-2022 11:09 PM

Hi @ttovarzoll,

if you add (as hinted in my solution) the "values(secondaryField) AS secondaryField" option in the stats command, you don't lose it.

Ciao and happy splunking.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

ttovarzoll
Path Finder
‎05-10-2022 10:05 AM

oh! wow, I didn't know you could do that -- list one of the original fields twice in the stats command 😁 I was seeing the dc(SecondaryField) and assumed that was the only/last reference to that field.

You've unlocked a whole new wave of discovery for me!

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎05-06-2022 05:13 PM

You can use mvcount in a where clause to filter out singletons.

| stats list...
| where mvcount(SecondaryField)=1

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution
Solution

VatsalJagani
Super Champion
‎05-06-2022 10:36 PM

@ttovarzoll - it would be >1

| where mvcount(SecondaryField)>1
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...