From my search and transaction command I get the following table. To further process my results, I want to remove the row with ID V3 because it does not exist for type B. Is there a command opposite to dedup?
Type ID Score
A V1 123
B V1 786
A V2 45
B V2 34
A V3 95
Ok found a way to do it
stats count dc(Type) as sourcetypes by ID | search sourcetypes > 1
change sourcetypes > 0 to 1 to remove unique row
Ok found a way to do it
stats count dc(Type) as sourcetypes by ID | search sourcetypes > 1
change sourcetypes > 0 to 1 to remove unique row
I have updated the answer.
Wouldn't this keep all the rows?
This can be achieved in two steps. (may need adjustment per your search)
your search producing above | eventstats count by ID | where count > 1
This will remove all the records where ID appears only once (unique).
Thanks @somesoni2 - that works as well.