Splunk Search

Keep transactions without duplicates without TRANSACTION or DEDUP

splunked38
Communicator

Hi,

I'm currently using the expensive transaction command to keep transactions without any duplicates.

So if I had
a
b
c
c
d
d
d

this would return
a
b

sourcetype... | transaction name keepevicted=true | search eventcount=1

I'm trying to use:

search sourcetype=... | streamstats count by name

Which will give me a new field 'count' however I can't use where count>1 as one of the duplicates still remain.
I've hit a mental block, any ideas?

Can't use dedup for the same problem, one instance will still remain.

Thanks in advance.

0 Karma

somesoni2
Revered Legend

Here you go

your base search | eventstats count by name | where count=1
0 Karma

splunked38
Communicator

Thanks but sorry, this does not meet the spec.

If a duplicate is found, remove all entries.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...