Re: Show only unique results

msarro · ‎09-28-2011

Hey everyone. One of my sources has a field which repeats occasionally. I want to filter out any events where there is a repeat of the particular field - so basically only return unique values. Really all I'm trying to get is a count of the non-repeated fields. I've tried using stats to subtract the distinct count from the normal count, but that still includes the repeated items. Any ideas would really be appreciated. Thanks!

To clarify, suppose your data set has a field called MYFIELD. Across 16 events, it has the following values:
1
1
1
1
1
2
3
4
5
5
6
7
8
9
9
9

Count would return 16.
dcount would return 9.
What I want is something that will return 6, counting only the fields which have no repeats.

Ayn · ‎09-28-2011

You could build transactions using MYFIELD to tie them together and then check which ones only contain one event and count those.

<yourbasesearch> | transaction MYFIELD | where eventcount=1 | stats count

vlapeintuit · ‎09-28-2011

have you tried using dedup

http://docs.splunk.com/Documentation/Splunk/4.2.3/SearchReference/Dedup

Show only unique results

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation