Hi,

I'm currently using the expensive transaction command to keep transactions without any duplicates.

So if I had
a
b
c
c
d
d
d

this would return
a
b

sourcetype... | transaction name keepevicted=true | search eventcount=1

I'm trying to use:

search sourcetype=... | streamstats count by name

Which will give me a new field 'count' however I can't use where count>1 as one of the duplicates still remain.
I've hit a mental block, any ideas?

Can't use dedup for the same problem, one instance will still remain.

Thanks in advance.