Solved: How to display events in table format when same va...

rkeq0515 · ‎05-22-2020

Is there a way to display events in a table when the same value appears multiple times with other values?
I am looking for user accounts that appear on two or more systems.

The following is a list of records:

I have been trying different queries based off of the follow but I cant seem to get the correct syntax. I can get a count on field 1 and/or field 2, but I am not able to pull just those events listed above and the attributes accompanying (field3, field4, etc.) the events.

1. index="myindex"
2. | stats count by field1 field2
3. | where count > 1
4. | table count field1 field2 field3
5. | sort - count

to4kawa · ‎05-22-2020

 index="myindex"
| eventstats dc(field1) as counts by field2
| where counts > 1
| table as_you_like

How about this?

View solution in original post

to4kawa · ‎05-22-2020

 index="myindex"
| eventstats dc(field1) as counts by field2
| where counts > 1
| table as_you_like

How about this?

How to display events in table format when same value appears multiple times?

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?

How to display events in table format when same value appears multiple times?

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!