Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write a search to only return results where multiple values exist?

drinkingjimmy
Explorer
‎11-22-2016 01:17 PM

I have a log output which provides many fields, but the two I'm most concerned with are user and device.

I'm trying to output a list of users and devices which corresponds with the user from the log data, only in the event that the user has more than one device associated: I.e.:

JohnSmith DeviceA
JohnSmith DeviceB
SteveSmith DeviceB
SteveSmith DeviceC
TedSmith DeviceX
TedSmith DeviceY
TedSmith DeviceZ

I don't care about users who have only one device assigned, and want to focus on users where the distinct count of devices >1.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 01:51 PM

Try this

base search | stats values(device) as devices by user | where mvcount(devices)>1

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎11-22-2016 01:51 PM

Try this

base search | stats values(device) as devices by user | where mvcount(devices)>1
0 Karma
Reply
Solved! Jump to solution

drinkingjimmy
Explorer
‎11-22-2016 02:11 PM

This seems so obvious now that I see it. Thank you!

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎11-22-2016 01:45 PM

Can you try this if you have fields called user and device to return all the users who have more than once device:

your base query to return you the user and device field
| table user, device
| stats count by user
| where count > 1

OR alternatively:

your base query to return you the user and device field
| stats values(device) as Devices, dc(device) as DevicesHeld by user
| where DevicesHeld > 1
0 Karma
Reply
Solved! Jump to solution

drinkingjimmy
Explorer
‎11-22-2016 02:11 PM

This was a good solution, but the other was a little simpler. Thanks for your time!

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...