Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Query to find events with more than 2 values for a specific field compared to another field

john_byun
Path Finder
‎02-01-2021 01:18 PM

I'm trying to create a query to show me all users who have purchased more than 1 type of product.

Each event has a "user" field and a "product" field.  I only want to see the users that have purchased more than 1 type of product.

"| stats count by user product" 

This shows me all user and product combinations, but don't know how to filter all events where a user only purchased one type of product.

I feel that it should be a very simple query, but can't seem to figure it out.

Labels (5)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-01-2021 01:24 PM

Hi @john_byun,

Please try below;

| stats dc(product) as count by user
| where count>1

 

If this reply helps you an upvote is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎02-01-2021 01:24 PM

Hi @john_byun,

Please try below;

| stats dc(product) as count by user
| where count>1

 

If this reply helps you an upvote is appreciated.
Reply
Solved! Jump to solution

john_byun
Path Finder
‎02-01-2021 01:36 PM

Perfect!  Thanks for your help.

0 Karma
Reply
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>

Get Updates on the Splunk Community!