Splunk Search

How do I filter-out the 'resultToToss' based on the fact there's only 1 'SecondaryField' result for it?

ttovarzoll
Path Finder

I am trying to create a Splunk Alert which -- well, the details will take too long to explain 🙂

The issue is that I'm generating a stats list where some of the results have a single value while others have multiple, e.g.

PrimaryField SecondaryField
resultToKeep result1
result2
resultToToss

result1

 

How do I filter-out the 'resultToToss' based on the fact there's only 1 'SecondaryField' result for it?

Labels (1)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

@ttovarzoll - it would be >1

| where mvcount(SecondaryField)>1

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @ttovarzoll,

you could add a "dc" option ro your stats command, something like this:

your search
| stats dc(secondaryField) AS dc_secondaryField values(secondaryField) AS secondaryField BY primaryField
| where dc_secondaryField>1

that you can use for your filters.

Ciao.

Giuseppe

ttovarzoll
Path Finder

Giuseppe,

Thanks, that's a great trick! But wouldn't it lose the original values of SecondaryField?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @ttovarzoll,

if you add (as hinted in my solution) the "values(secondaryField) AS secondaryField" option in the stats command, you don't lose it.

Ciao and happy splunking.

Giuseppe

0 Karma

ttovarzoll
Path Finder

oh! wow, I didn't know you could do that -- list one of the original fields twice in the stats command 😁 I was seeing the dc(SecondaryField) and assumed that was the only/last reference to that field.

You've unlocked a whole new wave of discovery for me!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You can use mvcount in a where clause to filter out singletons.

| stats list...
| where mvcount(SecondaryField)=1

 

---
If this reply helps you, Karma would be appreciated.

VatsalJagani
SplunkTrust
SplunkTrust

@ttovarzoll - it would be >1

| where mvcount(SecondaryField)>1
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...