Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How find how many inquiry is assigned to particular person?

pal_sumit1
Path Finder
‎03-06-2018 12:59 AM

Suppose we are inquiry id as 1,2,3,4,5,6,7,8,9,10 and these are assigned to some person p1,p2,p3,p4.
Then 1,2,3,5 inquiry is assigned to p1 , 4,6 assigned to p2,7,8,9, assigned to p3 and 10 assigned to p4.

So the question is how to display person's having more than 1 inquiry assigned to them.
And we do not know about person name and inquiry,It is just present in database.

Tags (1)
0 Karma
Reply

niketn
Legend
‎03-06-2018 06:13 AM

@pal_sumit1, without details like sample data and field names and your existing query etc. it is difficult to assist you. However, based on your question seems like you are asking for something like the following. PS: dc() aggregate function gives distinct count.

<yourbasesearch> person=* inquiry=*
| stats dc(inquiry) as inquiryCount by person
| search inquiryCount >1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply

pal_sumit1
Path Finder
‎03-06-2018 06:28 AM

Yes,you are right,I am also doing like this.But is there is another way to do this?

0 Karma
Reply

niketn
Legend
‎03-06-2018 07:03 AM

Could you please let us know the reason to look for another way to do this? Is there performance issue or different use case?

To me it seems correct way to identify persons you are interested in. You can also use values() to show unique values of inquiries

 <yourbasesearch> person=* inquiry=*
 | stats dc(inquiry) as inquiryCount values(inquiry) as inquiries by person
 | search inquiryCount >1
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

niketn
Legend
‎03-06-2018 07:38 AM

@pal_sumit1 if this addresses your need, please accept the answer to mark this question as answered. If not please let us know any further queries that you may have!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...