Greetings @uhaba, try this run-anywhere search:
| makeresults
| eval id = "11111" ,
vendor = "blah" ,
name = "tacoco",
value = "201" ,
date = "1/1/18"
| append
[ | makeresults
| eval id = "11115" ,
vendor = "splunk" ,
name = "tacos",
value = "221" ,
date = "5/1/18" ]
| append
[ | makeresults
| eval id = "11118" ,
vendor = "splunk" ,
name = "tacos",
value = "221" ,
date = "5/1/18" ]
| stats count values(id) as ids by vendor name value date
| where count > 1
Output:
vendor name value date count ids
splunk tacos 221 5/1/18 2 11115
11118
... View more