Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How find how many inquiry is assigned to particular person?

pal_sumit1
Path Finder
‎03-06-2018 12:59 AM

Suppose we are inquiry id as 1,2,3,4,5,6,7,8,9,10 and these are assigned to some person p1,p2,p3,p4.
Then 1,2,3,5 inquiry is assigned to p1 , 4,6 assigned to p2,7,8,9, assigned to p3 and 10 assigned to p4.

So the question is how to display person's having more than 1 inquiry assigned to them.
And we do not know about person name and inquiry,It is just present in database.

Tags (1)
0 Karma
Reply

niketn
Legend
‎03-06-2018 06:13 AM

@pal_sumit1, without details like sample data and field names and your existing query etc. it is difficult to assist you. However, based on your question seems like you are asking for something like the following. PS: dc() aggregate function gives distinct count.

<yourbasesearch> person=* inquiry=*
| stats dc(inquiry) as inquiryCount by person
| search inquiryCount >1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

pal_sumit1
Path Finder
‎03-06-2018 06:28 AM

Yes,you are right,I am also doing like this.But is there is another way to do this?

0 Karma
Reply

niketn
Legend
‎03-06-2018 07:03 AM

Could you please let us know the reason to look for another way to do this? Is there performance issue or different use case?

To me it seems correct way to identify persons you are interested in. You can also use values() to show unique values of inquiries

 <yourbasesearch> person=* inquiry=*
 | stats dc(inquiry) as inquiryCount values(inquiry) as inquiries by person
 | search inquiryCount >1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎03-06-2018 07:38 AM

@pal_sumit1 if this addresses your need, please accept the answer to mark this question as answered. If not please let us know any further queries that you may have!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...