- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Display logs that have a unique field-value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the confusing title. Let me explain
When I query this search
| rex field=_raw "Session (?<number>\\w+) (\\((?<username>\\w+)@|)"
I get the following output.
Session 11111 ended
Session 11111 (user1@<ipaddress>) started
Session 55555 (user2@<ipaddress>) started
What I want to do is see the sessions that have been started and not finished. I've been able to capture a field for both the number (11111,55555) and the user (user1, user2). The way I was thinking about doing this is to display only the logs that have a field:number-count equal to 1. In this case, I only want the line with 55555 to display (because there is only 1 instance of it) and do not want the number 1111 to display (as it appears twice).
What is the best way to go about displaying the fields that contains unique instances? Is there a better way to go about doing this?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doing some more searching, I found this thread:
and now have an answer to my question. The query should look like this:
| eventstats count by number | search count = 1
Thanks for helping me along!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Doing some more searching, I found this thread:
and now have an answer to my question. The query should look like this:
| eventstats count by number | search count = 1
Thanks for helping me along!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try |eventstats count(number) as Value|where Value = 1
That should limit it to events which have one occurrence.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hmm... not quite. It looks like this just counts the number of occurrences of the field number as opposed to marking the events that have one occurrence.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
