Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find out the record which has unique value

jianyu75074
New Member
‎02-22-2020 08:48 PM

I have records have 2 fields:
phone number result
1111 success
2222 success
2222 failed
3333 success
3333 failed
4444 failed

How to get the phone number which got failed ONLY. in this example, I want to get "4444"
if I search by result=failed, I got 2222,3333 and 4444. But I want to exclude 2222 and 3333 as they got "success"

is there any quick way to do that ? thanks!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2020 11:05 PM

Hi @jianyu75074,
try this

| makeresults 
 | eval _raw=" number result
 1111 success
 2222 success
 2222 failed
 3333 success
 3333 failed
 4444 failed" 
 | multikv forceheader=1 
 | fields - linecount _raw _time
 | stats values(result) AS result dc(result) AS dc_result BY number
 | search result=failed AND dc_result=1

where the solution are the last two rows.

Ciao.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎02-23-2020 12:32 PM

Like this:

... | stats values(result) AS results dc(result) AS result_count BY phone number
| where result_count="1" AND results="failed"
0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-22-2020 11:05 PM

Hi @jianyu75074,
try this

| makeresults 
 | eval _raw=" number result
 1111 success
 2222 success
 2222 failed
 3333 success
 3333 failed
 4444 failed" 
 | multikv forceheader=1 
 | fields - linecount _raw _time
 | stats values(result) AS result dc(result) AS dc_result BY number
 | search result=failed AND dc_result=1

where the solution are the last two rows.

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎02-22-2020 09:01 PM

Try this:

| mvcombine result | search result!="*success*"

Sample query:

| makeresults 
| eval _raw=" number result
1111 success
2222 success
2222 failed
3333 success
3333 failed
4444 failed" 
| multikv forceheader=1 
| fields - linecount _raw _time 
| mvcombine result 
| search result!="*success*"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...